The Digital and Cyberspace Policy Program has launched a new Cyber Brief. This one provides recommendations on how to incentivize more disclosure of the theft of intellectual property from the private sector. It was written by Robert Knake, Whitney Shepardson Senior Fellow at CFR and senior research scientist at Northeastern University’s Global Resilience Institute.
Here's the introduction:
Threats to national and economic security emanating from cyberspace are all too real, but public disclosure of incidents of the theft of intellectual property (IP) is exceedingly rare. Former National Security Agency Director and the first Commander of Cyber Command Keith Alexander has labeled China’s theft of U.S. intellectual property through cyber means “the greatest transfer of wealth in history.” Few experts in the field dispute that conclusion. In November 2015, National Counterintelligence Executive William Evanina estimated that cyber-enabled economic espionage cost the U.S. economy $400 billion per year, with 90 percent of the theft originating in China.
Yet, given that few companies have ever disclosed their losses from cyber-enabled intellectual property theft, the public is left with a seeming paradox: government officials cite the prospect of devastating consequences from intellectual property and trade secret theft, but there are few public examples of companies that have been the victims of such actions. Why companies want to keep these incidents from the public is unclear. The rationale for disclosure, however, is strong. Rapid disclosure can inform defensive actions at other companies, allow the discovery of larger campaigns, and, fearing public backlash and market losses, lead to increased investment in security. The ability of companies to withhold this information reduces the incentive for companies to make adequate investments to protect their networks. With greater disclosure of incidents should come higher levels of investment to protect those incidents from occurring in the first place.
The Securities and Exchange Commission (SEC), the president, and Congress should all move swiftly to bring the true state of cybersecurity in the United States out into the light. The SEC should require disclosures of intellectual property thefts, allowing markets to determine their impact and incentivizing better security. For his part, the president should expand current policies on notifying victims to include sharing such incidents with the SEC and monitoring for public disclosures by companies.
You can read the full brief here.