Archive for 'Economic Espionage'

Competitive Intelligence Zeroing In On Company’s Intangible Assets…

May 8th, 2015. Published under 'Safeguarding Intangible Assets', Economic Espionage. No Comments.

Michael D. Moberly   May 8, 2015   ‘A blog where attention span really matters’.

Competitive (business) intelligence is alive and well and it’s certainly not all cyber-based even thought there is an abundance of off-the-shelf data mining software available that mitigates the tediousness and time associated with conventional approaches to business intelligence collection.

Perhaps what concerns me most has been the continued expansion of ‘legacy free players’ (Thomas Friedman, ‘The World Is Flat’). My definition of ‘legacy free players’ is quite similar to that of Mr. Friedman’s, that is, these individuals/groups may not be necessarily aligned with or employees of nation state sponsors which are frequently technology dependant and sophisticated, or even organized units/cadres of economic spies. Instead, ‘legacy free players’ are, for the most part, independent operators or groups of individuals whose country of origin and cultural perspective about honoring the proprietary information originated by – belonging to others is a relatively new concept insofar as respecting personal, let alone intellectual property rights. In other words, there is an absence of legal, social, or cultural legacy to others’ properties of the mind, i.e., intellectual – human capital.

Setting that aside for the moment, of all the business leaders and management team members I have had the good fortune of conversing over the past 25+ years, when I introduce the subject of competitive intelligence, a substantial percentage of the time, their initial response is embedded with favorable rationalizations ranging from…

  • everybody does it, to
  • one is foolish if they don’t engage in some manner of competitor – business intelligence.

I am aware of no original research – objective data to indicate such characterizations are as accurate as business leaders assume, based on my many years of work-research in this arena, one would be well advised to consider the consistency of the responses suggest a significant percentage of businesses regularly engage in some level – form of competitor-business intelligence.

While their (intelligence) collection and analysis techniques may not be as sophisticated, analytical, or strategically oriented as those conducted by the countless private (independent) competitor intelligence firms operating globally, the information targeted and collected usually provides business decision makers with useable prognosticative insights variously related to the plans, intentions, and capabilities of competitors, i.e., what they are doing, have done, or, are about to do!

Simply stated, I find the adverse affects (of competitor – business intelligence) usually materialize in one of four ways, that is, the purpose, intent, and/or objective are to…

  • undermine, erode, stifle, and otherwise get ahead of a competitors’ initiatives, competitive advantages, market position, and strategic planning.

Any company’s efforts to counter or mitigate the very real adverse affects of competitor intelligence begins with understanding one’s own company’s IA’s (intangible assets).  This means recognizing that IA’s comprise increasing percentages – 80+% of most company’s value sources of revenue and ‘building blocks for growth, profitability, and sustainability! More specifically, IA’s are the real drivers – underliers to company’s value and sources of revenue which are precisely what competitor-business intelligence operatives are seeking, whether, I might add, they actually realize it or not!

Economic – Cyber Espionage, It’s The Intangible Assets Adversaries Are After!

January 22nd, 2015. Published under 'Safeguarding Intangible Assets', Economic Espionage. No Comments.

Michael D. Moberly   January 22, 2015   ‘A blog where attention span really matters’!

 What economic – competitive adversaries are really targeting…

Having been actively engaged in the intangible asset arena since the early 1990’s as an intangible asset strategist and risk specialist, I am continually hard pressed to understand why the administration, cabinet secretaries, government agency heads, corporate c-suites, and repetitive pundits consistently portray the target(s) of global economic (cyber) espionage as intellectual property, i.e., patents particularly.

My suspicions are that by continually portraying private sector information asset losses in IP-only contexts more attention is drawn to the issue and using IP-laced language to describe the threat and loss presumes ‘the audience’ would find it challenging to understand the intricacies and distinctions of stolen or misappropriated intangible assets, i.e., intellectual, structural, and relationship capital.

 It’s the intangible assets…The persistent initiatives of global economic and competitive advantage adversaries is targeting company’s intangible assets, particularly proprietary know how in the form of intellectual and structural capital that affords adversaries economic and often defense competitive advantages.

These assets are precisely what adversaries’ need, want, and therefore will aggressively and stealthily pursue because, because it is the quickest route to global competitiveness, sector dominance, and profitability while diminishing the reputation of the target (loser).

80+% global economic fact…There is no other time in business governance – management history when steadily rising percentages (80+%) of most company’s value, sources of revenue lie in – emerge almost exclusively, from intangible assets, e.g., intellectual, structural, and relationship capital, reputation, brand, R&D, contracts, and hybrid (proprietary) technologies, etc.

 Issued patents do provide legal standing, but little or no deterrence…Issued IP provides holders with (legal) standing to bring criminal and/or civil action against today’s inevitable infringement. But, patent holders should avoid assuming its’ issuance provides much deterrence because potential economic, competitive advantage, and reputational gains are too probable and lucrative to pass up. So, any notion that the proprietary know how underlying – embedded in patents is magically safeguarded, through conventional IP deterrent affects is, truth be told, substantially more myth than reality.

Assumptions to the contrary represent, in my view, wishful, naïve, and out-of-date thinking.

Think about it…Why would an economic – competitive advantage adversary, data mining operation, information broker, or competitor intelligence firm engage in the presumed risk of acquiring (stealing) a U.S. patent when essentially the same information will be published and available online through the U.S. Patent and Trademark Office?

Admittedly, pursuing the ‘patent route’ is often a business decision (WTO requisite) reflective of today’s globally aggressive, predatorial, winner-take-all, and go fast, go hard, go global business (transaction) environment.

Ultimately, those charged with safeguarding valuable proprietary information of a company or client would be respectfully encouraged to ask, how and which knowledge-based intangible assets originating with a company warrant higher levels and more sophisticated safeguards and resilience planning? The answer, that’s where practitioners are obliged to devote their resources and time!

Economic Espionage, Can There Be A Rationale?

November 15th, 2014. Published under Economic Espionage, Insider Theft of IP and Intangible Assets. No Comments.

Michael D. Moberly   November 15, 2014   ‘A blog where attention span really matters’!

Peculiarly perhaps, economic espionage has been an arena which I have devoted consistent interest and work for 25+ years when I began designing and conducting independent investigative research projects into global economic – competitive advantage adversaries stealing intellectual properties belonging to university-based R&D and their spinoff companies.

One obvious outcome to my work in this arena is that I would be hard pressed to conceive of any rationale whereby economic espionage would be portrayed in other than the most negative context, particularly how it has morphed today as becoming consistent and sophisticated barrages of cyber theft.

Industrial (economic) espionage and its close cousin product piracy and counterfeiting are certainly not new phenomena as each have presented consistent challenges since man first began etching distinguishing (trade) marks on their products.

I remain intrigued however by the boldness of Drs. Whitney and Gaisford (then) of the University of Calgary, in their 1999 paper titled ‘Rationale For Economic Espionage’. While their perspective is thoughtfully articulated, and not without some merit, economic espionage remain as acts which most countries’, institutions, and companies find repugnant and devote substantial resources to combating.

Whitney and Gaisford posit economic espionage can yield strategic, competitive advantage, and cost savings to the beneficiaries. On that point, no argument here! So, when technologically advanced entities are targeted and spied upon, it’s feasible, Whitney and Gaisford suggest, that both may ultimately be better off. The ‘better off’ in this instance, translates as the ‘transfer of technology’ which some argue has become the primary path to world’s greatest transfer of wealth.

As always, readers comments are welcome and respected!

CENTRA Technologies: Estimating the Economic Costs of Espionage

October 8th, 2014. Published under 'Safeguarding Intangible Assets', Economic Espionage. No Comments.

Michael D. Moberly    October 8, 2014     ‘A long form blog where attention span really matters’.

CENTRA Technologies 2010 study, ‘Estimating the Economic Costs of Espionageclose to perfection…

In an excellent, but somewhat overlooked, report published in May, 2010 and prepared for CENTRA Technology by the George Bush School of Government and Public Service at Texas A&M University, ‘researchers constructed a model initially designed for use by the government sector, but which, I find, has relevance to the private sector because it measures economic espionage losses by industry sector.

More specifically, the model identifies and distinguishes the severity and consequences of economic – cyber espionage incidents to the U.S. economy. The ‘CENTRA’ model which Texas A&M researchers constructed…

applies a (loss) ‘severity score’ between 0 and 1, and include open source (case study, incident) information so as to provide a qualitative estimate of the economic “consequences”.

  • low
  • moderate, and/or
  • high adverse (economic) consequences – losses, relative to
    • the victim company’s industry sector, and thus factors two sets of variables, i.e.,
      • Industry variables, i.e., assess the significance of where the incident of economic espionage occurred.

Note: Industry is derived from a combination of the percentage of GDP for each of the 14 industry sectors and the susceptibility/vulnerability of each sector. This process enables the CENTRA model to be individualized to a specific industry and recognizing potentially different consequences to the U.S. economy.

  • Case variables i.e., assess the significance of economic espionage incidents on the basis of…
    • characteristics of the theft (incident) itself.
    • costs directly attributable to the incident (loss) and
    • who the beneficiaries to the incident actually are.
  • Seldom are two incidents of economic espionage identical. To address this, Texas A&M researchers, developed a system for weighing the variables and questions further analysis that such ‘weights’ prompt.
  • So, the Texas A&M model requires practitioners to…
    • first, identify the industry sector in which the incident occurred, and
    • second, identify (individual, specific) ‘case – incident variables’.Ultimately, with all the variables measured, standardized, and weighted against each other, the CENTRA model calculates an overall severity score, which corresponds to individualized (company specific) consequence to incidents of cyber-economic espionage.

This post was inspired by a George Bush School of Government and Public Service, Texas A&M University research project titled   “Estimating the Economic Costs of Espionage”. The reports was prepared for CENTRA Technology by the the Capstone research team comprised of Rich Bell, J. Ethan Bennett, Jillian R. Boles, David M. Goodoien, Jeff W. Irving, Philip B. Kuhlman, and Amanda K. White.  

As always, reader comments are most welcome.

 

 

 

CSIS and McAfee Collaborate: Economic Impact of Cyber Crime and Cyber Espionage

October 7th, 2014. Published under Cyber security, Economic Espionage. 3 Comments.

Michael D. Moberly   October 7, 2014    ‘A long form blog where attention span really matters’.

In 2013, CSIS (Center for Strategic and International Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program, who directed the study, offered his best guess that ‘the upper limit of the costs-losses attributed to cyber – economic espionage might be under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.

Lewis translates the $140 billion annual IP loss to 508,000 jobs…

While I have no basis to dispute those figures, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there are two key factors necessary to arrive at the $140 billion annual loss figure, i.e.,

  • determining which assets and/or impacts to include (factor) and
  • the methodology for determining the lost assets’ near and long term value in terms of costs and losses companies will experience with respect to such things as market space, competitive advantages, profitability, sustainability, etc.

But, Lewis claims, and I agree, describing value loss – impact estimates with broad ranges is indicative of the difficulty in calculating losses. Accordingly, companies may be reluctant to reveal (their) victimization impacts, i.e., victim companies may be inclined to (a.) conceal particular portions of their losses, or, (b.) not know how to distinguish which/what intangible assets were targeted, stolen, comprised, or misappropriated. But, Lewis wisely, casts wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011.  Thus, a $400 billion loss representing the high end range of probable losses attributed to cyber crime and cyber espionage is a fraction of a percent of the global GDP figure. This, Lewis says, prompts additional questions, several of which I have been examining for many years, e.g. who are recipients and/or ultimate beneficiaries of the acquired (intangible) assets; can they expect to – be positioned to maximize those benefits, e.g., market (space) position, sector competitive advantages, reputation, value, sources of revenue, profitability, etc.

Conventional loss surveys assess – assign dollar value to losses… Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis correctly points out, generally produce imprecise findings because among other things respondents, are inclined to “self-select” which can become a source of distortion to the findings. Lewis suggests loss estimates should be based on “scale and effect” which ‘will likely produce quite different and possibly more objective and accurate results in terms of adverse impacts and loss values’.

CSIS – McAfee Assessment model… Lewis’ intent was to bring greater clarity and validity to the loss figures being reported, so data from ‘car crashes’, ‘retail pilferage/shrinkage’, ‘crime stats’, and ‘drug usage’ were examined for their relevance and comparison as methodologies to draw upon insofar devising CSIS’ assessment (valuation) model. By incorporating these analogies into the design of their loss valuation assessment model, Lewis, and McAfee were suggesting it’s problematic to rely on conventional (existing) survey methodologies to calculate dollar value for losses, because, among other things…

  • companies that (publicly) reveal their losses are frequently unfamiliar with distinguishing the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed, thus more guesstimates.
  • intellectual property – intangible asset losses are difficult to quantify because relevant dependant variables are often absent from the equation, and, often
  • the self-selection process associated with most conventional survey methodologies, frequently produces distortion in the findings.

CSIS model includes components – classifications of malicious cyber activity and economic espionage…

This, Lewis gleans, by asking ‘what should be included and counted insofar as arriving at more precise loss estimates’, i.e., there…

  • was a loss of intangible assets, i.e., intellectual property, sensitive business confidential/- proprietary information.
  • was an actual crime committed, i.e., a violation of federal law.
  • were opportunity costs, i.e., business and/or service disruptions that adversely effected consumer/customer expectations, particularly those related to the victimized company’s online activities.
  • would be additional costs incurred relative to…
    • re-securing their IT networks.
    • achieving greater company resilience insofar as to recovering from future cyber – economic espionage attacks, and
    • developing/executing business continuity plans designed to provide more rapid and fuller recovery when future attacks occur.
  • were damages to company reputations which tend to have a longer period for recovery, and lastly,
  • were costs to re-establish and re-secure company supply chain networks.

What’s the harm…?

If Lewis is correct in inferring there have, inadvertently, become “tolerated costs” and/or ‘ceilings’ for estimating losses.

So, a different perspective; is economic-cyber espionage the greatest transfer of wealth in history, or merely a rounding error in countries’ GDP…?

This, of course represents a perspective intended to elevate the significance and acknowledge the adverse impact of cybercrime-economic espionage, while the former represents a perspective intended to diminish the ‘sticker shock’ of the adverse economic impacts by characterizing them as percentages of national GDP’s.

As always reader comments are most welcome.

Product Piracy: A Global Economic Risk

October 6th, 2014. Published under Economic Espionage, Product counterfeiting.. No Comments.

Michael D. Moberly    October 6, 2014     ‘A long form blog where attention span really matters.’ 

Stolen, misappropriated IP and other intangible assets…

When values are calculated and assigned to stolen, misappropriated, and/or otherwise compromised intangible assets, i.e., intellectual and structural capital particularly, they may be (a.) quite subjective, (b.) merely regurgitated guesstimates, and/or (c.) embedded with inadvertent biases or political agendas and other variables that inevitably influence high or low valuations.

For example, it’s quite common to witness pundits and open source media to merely regurgitate high dollar losses (impacts) attributed to cyber – economic espionage, ranging between $100 to $500+ billion annually to the U.S. alone.

The worlds’ second oldest profession…

It’s important to recognize that an, as yet unknown percentage of malicious cyber activity, evolves into economic espionage.

There remain a percentage of policymakers, company c-suites, and management teams who find it to be an especially challenging ‘to get their arms and heads around’ insofar as articulating, with strategic clarity, precisely why cyber – information asset protection security and economic espionage prevention/mitigation initiatives are essential from the outset to any business initiative.

Objective calculation of losses and costs to materialized risks…

Calculating and assigning a dollar value to losses and costs associated with cyber crimes, particularly those which culminate in economic espionage, may appear, at first blush, to be relatively straightforward tasks. But, to be sure, there is much more to calculating and assigning dollar values to costs – losses than acquiescing to mere guesstimates.

Factors that influence companies to go public with their victimization…

Going public, represents, among other things, a companies’ admission of being victimized followed by a guesstimated admission of the extent – value of the losses attributed to the adverse acts, which, are often initially framed in passionate and angry descriptions how the acts and losses will impact the victims’ company..

Victim anger and passion aside, we know it is challenging to determine, let alone isolate and accurately assess asset losses rapidly. In many instances, that’s because, the losses are not limited solely to stolen or undermined intellectual property or capital, i.e., trade secrets, and proprietary information, etc. Instead, the full extent of a targeted companies’ losses are frequently more strategic and include equally valuable structural and relationship capital and thus may not be immediately measurable or fully realized and calculated until well after the fact.

No surprises…

Again, assigning specific price tags to companies’ cyber – economic espionage losses is a challenging undertaking, because the processes are often embedded with subjective assessments that do not reflect a comprehensive accounting of the ‘contributory value’ of various assets which serve as foundations to an infringed patent. For example, it’s not especially prudent then to assume the findings of the various surveys and studies produced over the years are the result of using objective data and calculations free from the influence of larger political, social, and national security agendas.

Numerous reports…

Since the passage of the Economic Espionage Act (EEA) in October, 1996, there has been no shortage of surveys and studies produced whose focus has largely been to ‘dramatize’ the costs, losses, and adverse impacts attributed to cybercrime and economic espionage.

Having read and studied most, if not each of these studies/surveys over the past 25+ years, I interpret many of the methodologies and findings to be somewhat competitive in the sense that each appears to be conceptually broader in the ranges of dollar losses and adverse economic impacts and characterized in more dramatic fashion.

Calculating losses attributed to economic espionage require objectively framed equations…

For many years there has been a general inclination to accept, perhaps naively, after-the-fact prognosticative research regarding the valuation of losses attributed to cyber – economic espionage.

My counsel on that matter is that any formula or conventional intangible asset valuation methodology used to calculate the loss and/or compromise of intellectual properties should differentiate the assets which have been stolen and/or compromised by category, i.e., intellectual, structural, and relationship capital.

As always, reader comments are most welcome!

CSIS – McAfee Partner on Cyber – Economic Espionage Impact

August 17th, 2014. Published under 'Safeguarding Intangible Assets', Economic Espionage. No Comments.

Michael D. Moberly    August 17, 2014   ‘A long form blog where attention span really matters’!

A collaborative partnership… In 2013, CSIS (Center for Security and Internal Studies) and McAfee partnered to examine cyber – economic espionage impact in a manner more inclusive than what I have previously observed over the past 25+ years. Spoiler alert; Dr. James Lewis, Senior Fellow and Director of CSIS’ Center for Technology and Public Policy Program offered his best guess that ‘the upper limit (of the costs-losses attributed to cyber – economic espionage) might be somewhere under one percent of the GDP’ (gross domestic product). Lewis also states, and I paraphrase, ‘U.S. economic costs-losses to cybercrime and economic espionage attributed specifically to – originating in China, may reach as much as $140 billion annually’.

$140 billion annually, 508,000 jobs…

While I have no basis to dispute those figure, or question Dr. Lewis’ experienced and respected record of achievements in the cyber crime – economic espionage arena, I do suggest there may be some predictable factors insofar as arriving at the $140 billion annual loss figure especially. One of which lies in determining which assets and/or impacts to include and the methodology for determining their near term and long term value in terms of costs and losses companies will experience with respect to market space, competitive advantages, sustainability, etc. Routinely, asset loss – impact valuations attributed to cyber-economic espionage, irrespective of their accuracy or objectivity, produce dollar values characterized in broad ranges on the plus – minus side. Lewis claims, and I agree, describing value loss – impact estimates with such broad range estimates is reflective of multiple difficulties, among them being, as readers know, numerous companies may…

  • be reluctant to reveal or inclined to conceal their losses,
  • not know precisely which/what assets were targeted, stolen, comprised, or misappropriated.

Intellectual property (and other forms of intangible assets) are challenging to value with consistency and objectivity. So, when values are calculated and assigned to stolen, misappropriated, and/or otherwise compromised intangible assets, i.e., intellectual and structural capital particularly, those figures, in my judgment, may be somewhat subjective and/or embedded with a particular bias or even agenda that in turn may influence high or low valuations.

For example, it’s relatively common to see open source media and their ‘talking heads’ to merely regurgitate extraordinarily high dollar volume losses (impacts) to the U.S. economy, attributed to cyber – economic espionage, ranging between $100 and $500+ billion annually.

But, Lewis wisely, yet provocatively, casts such wide ranging estimates of losses attributed to cyber – economic espionage in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011.  Thus, a $400 billion loss representing the high end range of probable losses caused by cyber crime and cyber espionage is a fraction of a percent of that global GDP figure. This, Lewis says, prompts additional questions, something which I have examined for many years, e.g. can the recipients and/or ultimate beneficiary of the targeted-acquired intangible assets expect to maximize their benefit and use? A second question focuses on the damage to victim companies relative to the cumulative effect of cybercrime and cyber espionage, i.e., market space position, sector competitive advantages, reputation risk, etc.

Guesstimates…

Having thoroughly studied many, what I respectfully refer to as ‘guesstimated’ economic espionage and stolen/infringed intellectual property (IP) reports over the course of 20+ years, I genuinely believe Dr. Lewis’ findings to be as flawless, encompassing, and accurate as can be reasonably expected in the multi-faceted and ambiguous arena from which to acquire reliable and replicable data points. For example, quite interestingly, the CSIS – McAfee report translates these asset loss estimates as representing perhaps as many as 508,000 U.S. jobs.

Conventional surveys to assess – assign dollar value to losses…

Some IP and intangible asset theft – loss estimates rely on surveys, which Lewis quite correctly points out, generally provide imprecise values, unless the survey itself has been carefully constructed and managed. Too, a common challenge, insofar achieving credence to cyber-security-espionage survey findings, Dr. Lewis also points out, is that (survey) respondents are inclined to “self-select”.  When this occurs, it introduces a potential source of distortion to the results.  So, being mindful of these and other data collection challenges to this already sensitive topic for companies, Lewis suggests loss estimates be based on assumptions about scale and effect. Changing those assumptions, Lewis argues, will likely deliver quite different results in terms of loss values.

CSIS – McAfee Assessment model…

As a demonstration of Lewis’ intent to be as objective and encompassing as possible insofar as valuing losses attributed cyber and economic espionage, CSIS secured the expertise of prominent economists, intellectual property experts, security researchers, and even incorporated, what could appear at first blush irrelevant analogies to bring clarity to the figures they were reporting, e.g., comparative statistics for car crashes, product piracy, pilferage, crime stats, and drug usage which collectively were integrated, for comparison purposes, to serve as frameworks to draw upon in devising their assessment (valuation) model. By incorporating these analogies in the design of their assessment model, Dr. Lewis, CSIS, and McAfee were essentially suggesting, should my interpretation be correct, it’s problematic to rely exclusively on conventional methodologies, particularly time honored surveys, to identify dollar values to losses attributed to cyber-economic because…

  1. companies that (publicly) reveal losses attributed to cyber – economic espionage are frequently unable to distinguish, with the necessary precision, the actual (proprietary, IP, intangible) assets which were stolen, compromised, or infringed.
  2. intellectual property – intangible asset losses are admittedly difficult to quantify with consensus, and when they are, the assessment – valuation is likely to reflect subjective guesstimates absent factoring numerous dependant variables which are invariably in play.
  3. the self-selection process associated with most conventional (time honored) survey methodologies, frequently produce some distortion to the findings.

CSIS model includes six classifications of cyber – economic espionage…

Insofar as actually commencing this much needed project, CSIS classified malicious cyber – economic espionage activities into six areas, i.e., wherein there…

  1. was a loss of intellectual property occurred.
  2. was an actual crime committed, i.e., a violation of federal law.
  3. was a loss of sensitive – proprietary business information.
  4. were opportunity costs involved, including business and/or service disruptions that adversely effected consumer/customer expectations and trust particularly those related to the victim company’s online activities.
  5. would be additional costs incurred by the victim company relative to securing their IT networks and incorporate greater resilience measures to provide quicker and fuller recovery when future attacks occur.
  6. damages manifested – materialized as reputational risks to the victim company.

Each of the above should be examined through a lens of reverence in that there is little question the inclusion of these and other factors, collectively help victim companies arrive at a more comprehensive and current appreciation for the losses, costs, and overall impacts caused by acts of cyber – economic espionage.

The worlds’ second oldest profession…

Economic (industrial) espionage is often euphemistically referred to as the world’s second oldest profession behind, of course, to prostitution. Readers do recognize that an, as yet unknown percentage of malicious cyber activity, evolves as economic espionage and is an obvious by-product of the continually evolving IT and Internet arenas. But still, as both cyber – economic espionage are irreversibly embedded in global cultures and business, there remain a percentage of policymakers, company c-suites, and management teams who find it a challenging phenomenon ‘to get their arms and heads around’ insofar as articulating, with strategic clarity, precisely why cyber security and economic espionage prevention/mitigation initiatives are so essential. The answers to these increasingly critical concerns, either of which, when they materialize, can produce substantial, if not utterly debilitating adverse effects to a company’s value, sources of revenue, profitability, growth potential, and overall sustainability. lie in well grounded research to aid c-suites and boards in framing their near term and strategic decisions, actions, and responses. CSIS – McAfee identified components of malicious cyber activity… In the CSIS – McAfee report, Lewis quite appropriately asks what should be counted insofar as arriving at better loss estimates attributed to cybercrime and cyber (economic) espionage. Interestingly, in an effort to address this question, Lewis categorizes malicious cyber activity into the following components, i.e., the…

  1. loss of intangible assets, i.e., intellectual property and sensitive business confidential/- proprietary information.
  2. opportunity costs linked to…
    1. service and employment disruptions, and
    2. reduced trust in online services and activities.
    3. additional costs
    4. securing company and supply chain networks
    5. insurance.
    6. resilience to – recovering from cyber attacks, i.e., developing/executing business continuity and resilience procedures.
    7. reputational risk materialization and damages.

What’s the harm…? If Dr. Lewis is correct in assuming, through the analogies he describes in the Report, some of which appear tantamount to inferring there are “tolerated costs” within in the realm of cyber crime and cyber espionage which manifest as a ‘ceiling’ of sorts, for estimating losses.  This suggests that, at most, cybercrime and cyber espionage costs less than 1% of GDP.  For the U.S. then, in the context of its GDP, Lewis’ best guess is that losses (caused by cyber crime and cyber espionage) may reach $100 million annually. To provide context for this estimate, Lewis points out that annual expenditures on research and development in the US are $400 billion annually, and $100 million in stolen/misappropriated intellectual properties he offers, does not translate to dollar for dollar gain to the recipients and/or ultimate beneficiaries, i.e., the economic, competitive advantage adversaries! As always, reader comments are most welcome!

Cyber Crime and Economic Espionage Assessing Costs and Economic Impacts…

August 11th, 2014. Published under Economic Espionage, Intangible asset protection, Intangible Asset Value. No Comments.

Michael D. Moberly    August 11, 2014    ‘A long form blog where attention span really matters.’

Objective calculation of losses and costs.

Calculating and assigning a dollar value to losses and costs associated with cyber crimes, particularly those which culminate in economic espionage, may appear at first blush to be relatively straightforward tasks. However, when intellectual properties and other categories of intangible assets are targeted and acquired by economic and competitive advantage adversaries, the legitimate holder of those assets is obliged to objectively assess their value?

Similarly, if a cyber attack temporarily brings down a company’s IT network, the targeted company is obliged to objectively calculate losses to productivity, sales, and essential communications as well as costs to return their system to operational normalcy with the necessart security upgrades.  Obviously, there is much more to calculating and assigning a dollar values to such costs/losses than engaging in more guesstimates.

No surprises.

For regular readers, it should come as no surprise that there are significant differences of opinion globally about calculating the costs and losses attributed to malicious cyber activity and economic espionage directed to companies’ R&D, university-corporate research consortiums, etc. As conveyed in previous posts at this blog, dollar value losses cited in numerous respected surveys and studies range from a mere few billion dollars to hundreds of billion dollars annually. To be sure, assigning specific price tags to companies’ cyber – economic espionage losses is challenging, but too, the processes are often embedded with subjective assessments that do not reflect a comprehensive accounting of the peripheral and contributory value of each of the other intangible assets underlying a patent for example. So, it may not be especially prudent to assume the findings of the various surveys and studies have been reached using objective data or calculations that are free from the influence of larger political, social, and national security agendas. This may be a reason why we are witnessing such a broad range of loss estimates regarding cyber – economic espionage.

Is economic-cyber the greatest transfer of wealth in history or merely a rounding error?

While I am not the originator of the above question, there are numerous responsible parties that do characterize losses attributed to cybercrime and economic espionage in this fashion, i.e., as constituting either the greatest transfer of wealth in human history, or merely as rounding errors in a $14 trillion dollar economy?

The former of course represents a perspective intended to elevate the significance and adverse impact of cybercrime-economic espionage, while the latter represents an opposite perspective which is to diminish the ‘sticker shock’ if you will, of the adverse impact by characterizing it in the context of what is to most as incomprehensible dollar amounts or collective national GDP’s.

Having said that, both perspectives, through my lens, warrant inclusion in the broader conversation.

Numerous reports…

Since the passage of the Economic Espionage Act (EEA) in October, 1996, there has been no shortage of surveys and studies launched whose focus has largely been to dramatize the costs, losses, along with an array of adverse (economic, competitive advantage) impacts attributed to acts of cybercrime and economic espionage and adversely effecting either or both the private sector or national security/defense.

Having read and studied most, if not each of these reports over the past 25+ years, I interpret the findings and supporting documentation to be somewhat competitive in the sense that each report strives to be conceptually broader and offer broader ranges of losses and impacts and in more dramatic fashion.

Too, many reports, particularly those published in recent years, are collaborative, in that a known and usually global player (i.e., accounting, consulting, or IT firm) has partnered with a prestigous university (academic unit) or ‘think tank’ assuming this will elevate the reports’ credence and validity in the eyes of its previously targeted audience. In addition, more such reports include examples and/or mini-case studies describing the impact to victimized companies and/or organizations, whom, for multiple reasons have elected to ‘go public’, perhaps at the behest of federal (EEA) prosecutors and thus agree to seek prosecution of the perpetrators, whomever or whatever they may be.

Expectations of receiving damage – loss restitution…

Any victim company’s expectations of receiving damage or restitution payments is slim and therefore are largely symbolic when that is the finding of a court. That’s because a large percentage of those engaged in and prosecuted for EEA-related violations have international origins, which, while within the EEA’s scope may also find it useful to bring such action before the World Trade Organization (WTO).

Factors in play that influence companies to go public…

Readers recognize of course, there are numerous factors in play that comprise a company’s decision to ‘go public’. Going public, represents among other things, a companies’ admission of being victimized followed by a guesstimated admission of the extent – value of the losses being attributed to the acts, which, initially are  often framed in passionate and angry guesstimates of how the acts and losses will impact the victims’ company and even who the culprit(s) may be and how the adverse act was actually committed.

Victim anger and passion aside, we know it is challenging to determine, let alone isolate and accurately assess such losses very rapidly. That’s because, in many instances, the losses are not limited solely to lost or undermined intellectual capital, i.e., trade secrets, proprietary information, and IP. Instead, the full extent of a targeted companies’ losses are frequently more strategic in the form of relationship capital and thus may not be fully realized for several months out.

Reputation risk factor…

Another factor in play with respect to the counsel and ultimate decision to ‘go public’ with a companies’ victimization is the very real possibility that having the matter come under public and regulatory scrutiny, there is, unfortunately, a probability the victim company, will experience the materialization of reputation risk manifesting at some level. I refer to materialization of reputation risk with the phrase  ‘at some level’, because such company specific reputation risks can manifest in different ways for different sets of consumers, stakeholders, and investors, etc.

Yes, a company’s reputation is an intangible asset of the first order. A company’s reputation is embedded with – comprised of many other contributing intangible assets which collectively produce significant value. In other words, reputation represents expectations, and therefore serves as the rationale in which consumers distinguish, seek, and likely purchase one product or service over another because it consistently meets or exceeds our expectations.

Calculating losses attributed to economic espionage require objectively framed equations…

For many years there has been a general inclination to accept, perhaps naively, the guesstimated findings of after-the-fact prognosticative research regarding losses – impacts attributed to cyber – economic espionage valuations. My counsel is that any formula, conventional intangible asset valuation methodology, and/or equation used to calculate the loss and/or compromise of valuable intellectual properties (intangible assets) caused by cyber-economic espionage should…

  • differentiate the assets which have been targeted, lost, and/or compromised by category, i.e., intellectual, structural, and relationship capital to ensure the findings
  • bring quantitative – qualitative distinctions and clarity to a fuller range of related acts/events which can materialize following an act of cyber-economic espionage, e.g., produce adverse stock market reactions if the targeted company is publicly traded, reputation risks, productivity losses, business disruptions, loss of consumer trust, expectations, and goodwill, as well as the costs required to re-establish IT and supply chain security, etc.

As always reader comments are welcome!

Economic – Cyber Espionage Impact

August 8th, 2014. Published under 'Safeguarding Intangible Assets', Economic Espionage. No Comments.

Michael D. Moberly     August 8, 2014    ‘A long form blog where attention span really matters’!

Dr. James Lewis, Director and Senior Fellow, Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS) very appropriately states, among countless other relevant and practical jewels of wisdom in his July, 2013 report titled, ‘The Economic Impact of Cyber Crime and Cyber Espionage’ that there is ‘a wide range of estimates of annual losses, from a few billion dollars to hundreds of billions’.  That statement itself, is not particularly noteworthy, but the distinctive ways Dr. Lewis reframes the statement by identifying various alternative lens in which the impact of economic and cyber espionage can be viewed through comparisons and analogies is very worthy.

This obvious broad range reflects several difficulties, claims Lewis, i.e., because companies may…

  • be inclined to conceal their losses,
  • not be aware of what assets have actually been stolen, comprised, or misappropriated.

Granted, intellectual property (and other forms of intangible assets) difficult to objectively value, and when a value is assigned, in my judgment, it’s often subjective and/or embedded with particular agendas that produce especially high or low ($) valuations.

Some IP and intangible asset estimates rely on the work and findings of other surveys, which Lewis quite correctly points out, generally provide imprecise values, unless the survey itself has been carefully constructed and managed.

Too, a common challenge, insofar achieving credence to cyber-security survey findings, Dr. Lewis point out, is that (survey) respondents are inclined to “self-select”.  When this occurs, it introduces a potential source of distortion in the results.  So, being mindful of these and other data collection challenges to this already sensitive topic for companies, i.e., in economic and cyber espionage, matters, it is not uncommon, Lewis suggests, for loss estimates to be based on assumptions about scale and effect. Changing those assumptions, Lewis argues, will likely deliver quite different results in terms of loss values.

Components of malicious cyber activity…

In the report, Lewis starts by asking what should be counted insofar as arriving at better loss estimates caused by cybercrime and cyber espionage. Interestingly, Lewis categorizes malicious cyber activity into five components, i.e., the…

  1. loss of intangible assets, i.e., intellectual property and business confidential/proprietary information.
  2. loss of sensitive business information, including possible stock market manipulation •
  3. opportunity costs linked to…

a. service and employment disruptions, and

b. reduced trust in online services and activities.

4. additional costs

a. necessary to secure company and supply chain networks

b. for insurance.

c. to recover from cyber attacks, i.e., developing/executing business continuity and resilience procedures.

5. reputational risk materialization and damage to victimized companies.

Putting these components together, Lewis claims, and I agree, the cost of cybercrime and cyber espionage to the global economy can broadly be characterized in the hundreds of billions of dollars annually.

But, Lewis wisely and provocatively, casts those wide ranging estimates in other contexts, starting with World Bank reports which state global GDP stood at about $70 trillion for the year 2011.  Thus, a $400 billion loss representing the high end range of probable losses caused by cyber crime and cyber espionage is a fraction of a percent of that global GDP figure.

This, Lewis says, prompts additional questions, e.g. can the recipients and/or ultimate beneficiary of the acquired intangible assets  expect maximum benefit/use?,  and a second question focuses on the damage to victim companies relative to the cumulative effect of cybercrime and cyber espionage, i.e., market space position, sector competitive advantages, reputation risk, etc.

What’s the harm…?

If Dr. Lewis is correct in assuming, through the analogies he describes in the CSIS Report, some of which appear tantamount to inferring there are “tolerated costs” within in the realm of cyber crime and cyber espionage which manifest as a “ceiling” for estimates of losses.  This suggests that, at most, cybercrime and cyber espionage costs less than 1% of GDP.  For the U.S. then, in the context of its GDP, Lewis’ best guess is that losses (caused by cyber crime and cyber espionage) may reach $100 million annually to the U.S.

To provide context for this estimate, Lewis points out that annual expenditures on research and development in the US are $400 billion annually, and $100 million in stolen/misappropriated intellectual properties he offers, does not translate to dollar for dollar gains to the recipients and/or ultimate beneficiaries, i.e., the economic, competitive advantage adversaries.

As always, readers comments are welcome.

Economic Espionage Economic Consequences

July 12th, 2014. Published under Economic Espionage, Intangible asset protection. No Comments.

Michael D. Moberly    July 12, 2014     ‘A long form blog where attention span really matters’.

Economic Espionage Act of 1996…

I have been consistently engaged in studying, conducting investigative research, publishing, and consulting on a variety of ‘open source’ matters related to economic espionage beginning well in advance of the passage of the Economic Espionage Act in 1996. Admittedly, while my interest in economic espionage issues are broad based, having served fulltime in academia for 20+ years, much of my interest has been directed toward the targeting and victimization of university-based research and corporate-university research alliances by insiders, competitor intelligence, data miners, information brokers, and foreign (independent and state-corporate sponsored) entities, and now ‘legacy free players’.

A distinctive aspect of my work in this arena is that I began to characterize these entities as ‘economic and competitive advantage adversaries’ as a more relevant descriptor of…

  • the variants of economic espionage that exist today
  • the range of domestic and international parties engaged.

Admittedly, this descriptor reaches beyond the definitions (precise requisites) codified in the federal Economic Espionage Act (18 U.S.C. § 1831-1839) statute. Doing otherwise, in my judgment, is limiting, and does not begin to convey the currency, depth, and breadth of this persistent and extraordinarily predatorial risk.

Capturing diversity and methodology of global players…

Too, I believe the phrase ‘economic and competitive advantage adversaries’ better captures the diversity of global players in terms of what and why particular assets are targeted, adversary’s motivations, as well as a testament to the ‘layered methodologies’ which are challenging to unravel with respect to those actually engaged in the acquisition initiative and the ultimate and/or primary (end) beneficiary of the acquisition.

My intent for re-phrasing the time honored (economic espionage) language are that it…

  • brings greater relevance to businesses and companies and elevates their recognition that the theft or acquisition of their proprietary information, ala trade secrets, has many more dimensions and facets today compared to when the EEA became Federal law in October, 1996.
  • indicates the targets are not exclusively national security and/or defense related.

Ultra sophisticated data mining…

The product, i.e., intangible asset acquisition, analysis, and insight, etc., capable of being delivered to an end user(s) through the application of sophisticated and frequently ‘off the shelf’ data mining technologies by economic and competitive advantage adversaries today is phenomenal by any standard or metric.

Determining who the ultimate end user or beneficiary is…?

Of the countless global entities, independent operators, and legacy free players engaged in some aspect of business, competitive intelligence, and/or information brokering today whether it be legitimate or illegal, believe me, it’s not necessarily a simple task to identify precisely who the real end user (beneficiary) of the work product will be or actually is.

Absent knowing who the real beneficiary of any misappropriated – stolen information-based intangible assets is, understanding how such assets will (can) be used or applied, once acquired and delivered, particularly if there are dual-use features involved, is useful. Still it remains challenging to objectively quantify, in dollar terms, the adverse economic, including competitive advantage, reputation, market share, etc., consequences attributed to any single event or collective loss.

Economic and competitive advantage adversaries…

I do believe reframing conventional economic espionage activities in a context of ‘economic and competitive advantage adversaries’ has substantially greater relevance in today’s increasingly competitive, aggressive, predatorial, and winner-take-all global business transaction, R&D, and new product launch environments.

Too, as the global economies’ become increasingly intertwined, yet overwhelmingly dominated by highly valuable intangible assets, particularly intellectual, structural, and relationship capital, achieving most any economic and/or competitive advantage is all but sure to outweigh the relatively minimal risk associated with most targeting and intelligence collection-acquisition initiatives. In other words, it has become obvious to me and I’m sure others as well, that the significant potential benefits of securing an economic and/or competitive advantage in a specific market or industry sector exceeds, intellectually at least, most costs and/or risks.

To anyone paying more than passing attention to economic (cyber) espionage today, they should recognize the adverse activities described above, as evolving from primarily targeting defense and national security projects to an unrelenting, costly, and inevitable risk for most any (public-private) commercial entity, regardless of size or industry sector, in which valuable intangible assets are being produced and applied. It is the intellectual, structural, and relationship capital which have become the globally universal forms of currency, often with company and/or country specific application and relevance.

Extrapolating costs of economic espionage…

As for extrapolating the costs – losses of economic espionage (acts of economic and competitive advantage adversaries) to a single company or to an individual country’s economy, either as a whole or to a specific industry sector, such analysis comes with a host of challenges, not the least of which is the often subjective nature of the calculations which, it’s not unrealistic to assume, are embedded with various corporate, government, policy, and political agendas.

Interestingly, in the 25+ years that I, and numerous others, many of whom have become colleagues, have been examining and consulting in the economic espionage arena, there is little that I can readily point to insofar as objective methodologies to measure…

  • the specific damages and/or costs to a targeted/victim company.
  • how to specifically attribute –differentiate the source of those losses to acts of economic espionage, and then
  • extrapolate that data to either the U.S. or other country’s economy as a whole.

….aside from using the ‘contributory value’ approach.

Go fast, go hard, go global…

For example, the full range of economic – competitive advantage repercussions from a single incident/act of ‘economic espionage’ is challenging to fully grasp, in part due, I suggest, to the go fast, go hard, go global business transaction environment which most businesses now routinely function and the multitude of valuable intangible assets being produced.

Exacerbating this phenomena is the reality that a company’s awareness of trade secret – intangible asset theft or compromise seldom, in my experience, emerges immediately. Thus, its adverse economic – competitive advantage consequences to the victim company can only be objectively calculated if the consequences can be specifically attributable to an economic – competitive advantage event and should be done so in both strategic (long term) and near term contexts.

A rationale…

My rationale is that a single (stolen, misappropriated, compromised) trade secret and/or proprietary information (intangible asset) frequently involves multiple iterations and combinations of intellectual and structural capital being embedded which, in a strategic context, may be applicable to variety of products and/or services in different industry sectors.

It’s worth reminding readers of the globally universal economic fact, that today, 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, competitive advantage, and sustainability lie in – evolved directly from intangible assets.

I am not suggesting that the loss, theft, or compromise of a single trade secret or intangible asset is immeasurable. Rather, I am suggesting that measuring the real economic loss to a company must include objective near and long term calculations which can only come, in my view, from recognizing that trade secrets (proprietary know how) can readily become embedded with not just one, but numerous (proprietary) intangible assets.

As always, your comments are appreciated at m.moberly@kpstrat.com