Michael D. Moberly July 1, 2014 ‘A long form blog where attention really span matters.
Calculating the cost of economic espionage, micro, macro…
Calculating the cost of economic – cyber espionage, i.e., its micro adverse impact to a specifically targeted company asset and competitive advantage, supply chain partners, etc., or its macro adverse impact to a broader (local, regional, national) economy are, at best, a challenging and often times, up to this point anyway, a largely subjective undertaking. Too, address the costs and/or consequences of economic – cyber espionage has being ratcheted up on company’s decision making ladder by assuming a sense of fiduciary responsibility and/or obligation, due in part to Stone v. Ritter (911 A.2d 362 (Del. 2006). But, still, as noted numerous times in this blog, assigning a precise value to the loss of intangible assets involves in my judgment, subjective calculations which at best constitute guesstimates.
Decisions for the victimized company …
There are numerous decisions which company’s victimized by economic – cyber espionage must endure which will variously have a bearing on the end result, i.e.,
- Whether or when to ‘go public’ with the event. In a growing number of instances prudent reputation risk management best practices and state and federal law, dictate ‘going public’ quickly.
- How to address the inevitable questions, revelations, and possible investigations which will likely convey uncomplimentary perspectives about a company’s overall readiness. Few, c-suites’ are oblivious to these potentialities that now routinely follow breaches that adversely effect reputation, e.g., how did it happen, why did it happen, was the company sufficiently prepared to thwart, contain, and/or defend against such attacks, what activities was the company engaged in to make it an attractive target for economic – cyber espionage, and when did the company first realize it had been victimized? The latter is usually framed as ‘why not sooner’?
- What is the best methodology for quantifying the near and/or long term adverse effects to specific operational units – brands in the company or the company as a whole, as well as economy, particularly the sustainability of key supply chain partners, as well as the ability of a victimized company to return to a state of operational normalcy.
Underlying variables which often weigh heavily on these, and other ‘reputation risk’ matters is not knowing precisely how stockholders, stakeholders, consumers, and media will react to economic – cyber espionage events and whether their reaction will be short-lived, or adversely long term?
There is little argument that economic – cyber espionage represents a serious, persistent, and asymmetric risk/threat to most companies, and now, as globalized business is a routine fixture, multiple country’s economies’ can be adversely effected. Broadly speaking, this perspective was initially conveyed during Judge Sessions’ tenure as FBI Director during a speech to the Cleveland Economics Club in which he very appropriately uttered the now often repeated statement ‘economic security and national security are synonymous’.
Of course, the realities embedded in Director Session’s statement are much more relevant today, particularly given the economic fact that consistently rising percentages of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability’ lie in – evolve directly from intangible assets which now routinely reach or exceed the 80+% mark. This translates as the attractivity for certain companies to become targets (victims) of economic – cyber espionage is related to specific intangible assets a company has developed, acquired, and assembled in the form of intellectual, structural, and relationship capital or, more simply stated, ‘know how’.
Assessing losses and damages to intangible assets…
First, let me point out that incidents’ of economic – cyber espionage produce the obvious tangible losses, but also losses to various intangible assets a company may have developed or acquired, in this instance reputation and other intangibles in the form of intellectual, structural, and relationship capital.
Assessing (translating) intangible asset losses in dollar values is not for the uninitiated nor is it necessarily for asset valuation specialists whose expertise lies largely in valuing more ‘stationary’ objects or assets.
Valuing (measuring) intangible asset losses-damages present unique challenges which I find may be quite subjective insofar as advancing a particular agenda or accommodating a specific need. In fact, the full extent of a successfully executed economic – cyber espionage event to a target’s intangible assets can seldom be recognized quickly. For example, if a company experiences a theft of specific proprietary information, i.e., intellectual, structural capital, or trade secret, those assets may be distributed and/or applied to multiple beneficiaries internally and externally with each contributing to efficiencies in the production and operability of different products in different industry sectors.
Contributory value of intangible assets…
Be assured, I am not suggesting such losses of a company’s intangible assets are absolutely immeasurable, rather those engaged in their valuation must recognize they have distinctive features and characteristics, the primary one being they are not tangible. So in valuing intangible asset losses, I want to ensure the findings are as objective as possible. So when valuing intangible asset losses, I start by identifying and distinguishing the intangibles at risk – in play. I then commence a process of examining each asset in the context of their ‘contributory value’ .
Understanding intangible asset value…
An important key to understanding, and ultimately estimating the value of a company’s intangibles assets which have been illicitly acquired or stolen through an act(s) of economic – cyber espionage, lie in understanding the processes, procedures, and resources necessary to sustain control, use, ownership, and monitor the value, materiality, and risk to those assets. In today’s hyper-aggressive, predatorial, and go fast, go hard, go global business transaction environments which many companies, regardless of size or sector, routinely operate, any company’s intangible asset safeguards should be constructed to withstand the inevitable consequences of ‘category five hurricanes, cyclones, or Richter scale 5+ earthquakes’ or even the occasional Tsunami. The reason is, there are an abundance of global players working 24/7 in this arena one of which are what Thomas Friedman refers to as legacy free players which I have taken the liberty of re-applying to reflect this current phenomenon.
Legacy free players…
A proper starting point for achieving today’s much warranted level of asset (value, competitive advantage) sustainability, must include…
- measures to monitor of asset value, materiality, and risk.
- being alert to anecdotal reports that provide important glimpses into economic – cyber espionage techniques and methodologies, and
- knowing (understanding) who the global players are, particularly the origins of the increasing number of ‘legacy free players’ (Thomas Friedman, ‘The Flat World).
My definition of ‘legacy free players’ is quite similar to that of Mr. Friedman’s, that is, these individuals/groups may not be necessarily aligned with or employees of nation state sponsors which are frequently technology dependant and sophisticated, or even organized units/cadres of economic spies. Instead, ‘legacy free players’ are, for the most part, independent operators or groups of individuals whose country of origin, and consequently the cultural perspective about honoring the intangible properties of others is a relatively new concept insofar as respecting personal, let alone intellectual property rights. In other words, there is an absence of legal, social, or cultural legacy to others’ properties of the mind, i.e., intellectual – human capital.
No over dramatizations here…
Readers’ who elect to construe these characterizations as over dramatizations would be mistaken. Too, it’s indicative of not being current about the risks and threats posed by increasingly (ultra) sophisticated and organized groups of state sponsored, independent actors, and the growing numbers of ‘legacy free players’, i.e., global economic – competitive advantage adversaries, each functioning quite effectively and probably profitably in their predatorial environments.
So, in my judgment, any asset loss or damage assessment which excludes, in its equation, the economic fact that 80+% of most company’s value and sources of revenue lie in intangible assets, will not convey the full extent/consequence of economic – cyber espionage.
In far too many instances, I observe information asset protection practitioners and programs that appear to have been constructed using quite conventional ‘infosec’ frameworks…
- designed to address subjective, anecdotal, or one-off types of (information asset) threats, risks, or events, or are
- based on pre-conceived notions of who the adversaries’ are, their origins, motives, and methods, or
- that are country (adversary) specific based on presumptions of who the beneficiaries are.
As always, I welcome your comments at firstname.lastname@example.org or 314-440-3593 (St. Louis)