In 2004, hackers compromised the credentials of Nortel’s CEO Frank Dunn to steal about 800 ultra-sensitive documents and send them to an IP address registered to Shanghai Faxian Corp, a front company with no known business dealings with Nortel. That was corporate espionage at its finest with dramatic ramifications for Nortel: The sudden rise of a Chinese competitor (Huawei) and bankruptcy soon after.

Fact: Spying happens every day, multiple times a day in every country. It’s called corporate espionage. Interestingly, the same way countries have differing cultures and values, they also have their own strategies, goals and preferences in how to steal others’ intellectual property and technology. Russian companies, for example, want to make sure they’re not left behind technologically. French and American corporations mostly seek information that will give them an edge with contract bidding. Chinese organizations want to build a presence and gain market share quickly and inexpensively (Source: Eric Denécé, director of the French Center on Intelligence Research).

General Keith Alexander, a now retired four-star general of the United States Army, who served as director of the National Security Agency, once said, “The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history.”

Let’s take a look at the reality of intellectual property theft, some of its causes, and a potential solution.

Intellectual Property Theft

The United States is the world’s greatest producer of intellectual property (IP). Here are some interesting statistics pertaining to U.S. IP and the interest it triggers, especially from the Middle Empire:

  • IP accounted for $5.06 trillion in value added, or 34.8 percent of U.S. GDP in 2010. IP alone accounts for over 40 million U.S. jobs and over 60 percent of all U.S. exports (source: U.S. Department of Commerce).
  • The amount of international theft of American intellectual property is roughly $300 billion per year and 2.1 million additional jobs in the U.S. economy (source: Commission on the Theft of American Intellectual Property, 2013).
  • While China is not the only actor targeting U.S. IP and technology, it is the only nation that considers acquiring foreign science and technology a national growth strategy (source: Commission on the Theft of American Intellectual Property, 2013).
  • Chinese theft of American IP currently costs between $225 billion and $600 billion annually (source: United States Trade Representative, 2017)

The point of sharing this information is not to point a finger at China but facts are facts. Any research about U.S. IP theft shows that there is a common denominator, and it’s always China. If you take a look at the Intellectual Property Theft/Piracy News section on the FBI website, it is indeed almost entirely about China…

Cyberattacks Don’t Happen by Accident

Today, cyberattacks are the most efficient way of stealing IP. The process is quick and cheap. Having said that, there is a way of decreasing the volume of theft. Instead of continuing to endure the growing financial burden that IP theft represents for our economy, there are actions that could be taken today to stop the trend. And as much as they sound simplistic, a great majority of our wealthiest and most innovative corporations continue to ignore these potential solutions.

Hackers are highly successful because the level of IT security in most corporations is dismal. There are two major weaknesses: 1.) the organization’s currently used workforce identification and authentication, and 2.) the way an organization’s intellectual property is stored.

Physical and Logical Access: Limitations

Passwords are obsolete because hackers have access to the (cheap) technology that cracks them in no time. You and I can even buy such technology on the Dark Web for a fraction of a Bitcoin. Two-factor authentication (2FA) and multi-factor authentication (MFA) solutions are far less secure than their vendors want to admit. With only 2FA, an individual’s passwords, which is the first authentication factors, can be stolen. And you can guess what happens with the second authentication factor if an employee’s phone gets stolen.

There are 2FA solutions that involve basic biometrics as a second factor of authentication, but Touch ID and Face ID can easily be compromised. The weakness, in terms of security, is magnified, when an employee finds himself locked out of a system after losing a factor. Ironically, this employee actually finds himself in the very same position as a hacker, who’s trying to gain access to the employee’s account. So, if an account can be reset without an access factor, then a hacker can do this, too – faster and better. Hackers are seasoned criminals and they can set up or reconfigure two-factor authentication to keep the real account holder out of his or her own accounts. Some MFA solutions leverage other sets of biometrics as a third layer of authentication, but let’s keep in mind that a person’s voice, for example, can be replicated, fingerprints can be copied, and faces can be spoofed. Finally, an access card to enter a secure area can easily be copied and an iris scanner can be hacked.

Cyber thieves launch phishing attacks to compromise credentials, among other forms of data. Then they leverage those stolen credentials to launch spear-phishing attacks, which are communications coming from a trusted individual or organization and one with whom you, the target, are likely to engage. Would you dismiss an urgent email coming from your CEO? No, you wouldn’t.

Sensitive Data Storage: Limitations

To store any data, notwithstanding sensitive data, in a centralized cloud server is simply not a good idea. What do Facebook, Equifax, JP Morgan Chase and so many other Fortune 100 companies have in common? They’ve all been hacked at least once. And no matter the level of sophistication and experience these organization’s IT teams bring to the table, it is simply not possible to ensure the integrity and security of user data stored, because each time the data is stored in a centralized database. Centralized databases are the issue. What is required for their day-to-day maintenance and management makes them prone to human errors. Human error was actually the cause of approximately 90 percent of data breach reports data received by the Information Commissioner’s Office between 2017 and 2018. Furthermore, someone who has administrative access can do whatever he or she wants with the information it contains. And if one single point were to fail, then the entire system would crash. Lastly, in a central database data is stored unencrypted. While encryption is standard during the data transmission or data sending process, many enterprises continue to fail at implementing encryption for information held and stored within their databases. And that’s a hacker’s dream, because they are able to easily use stolen data in its rawest form. Having said that, centralized data storage has its own benefits like higher speed and availability, quick throughput and low latency but, again, at what cost…?

Can you say, “I’m done!” in Mandarin?

There are ways that can definitely contribute to the decrease of intellectual property theft. And it starts with identifying and authenticating individuals who have access to sensitive information with the highest levels of assurance possible. But that’s not all. How about storing information, including user data, encrypted in a system that is virtually unhackable? Finally, how about keeping track of who accesses what data in real-time and record it inside this uncompromisable system without any way of tampering with the recorded information?

Identification and Authentication

Identification and authentication for physical and logical access should reach the highest levels of assurance per the NIST 800-63-3 guidelines. What does that entail? The failure to create a secure ecosystem for identifying and then authenticating your workforce will always cast doubt on who is really accessing your systems, servers, files, etc. And your organization cannot afford to doubt its security at any time. So, the key is to put in place a potent ID proofing process that leaves no room for uncertainties concerning the employee’s identity. Such a process includes digitally triangulating enrolled government-issued documents as well as enrolled advanced biometric features with several other sources of truth. These three elements operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to access a system or a service online.

Decentralized Data Storage

Decentralized cloud storage is secure and private. User data is not stored on a single centralized server. Instead, files are divided into multiple pieces and sent to different servers (also called “nodes”), consequently reducing the possibility of external control over user data. Blockchain-based decentralized cloud storage offers two major benefits:

  • Security: Data stored inside the Blockchain is encrypted, which if stolen would become useless. Files are encrypted with private keys, making it impossible for anyone without the key to access the file. Files are broken down into pieces, which are stored on multiple servers (nodes), so there is no single point of failure as with a centralized cloud server. If a node were to be compromised, the data would not. And, a Blockchain network self-audits every ten to fifteen minutes, which means that is a node were to actually be compromised, the system would recognize it and fix it.
  • Read and Record are the only two functions of a Blockchain-based decentralized cloud storage. It infers that no one can change the data that is recorded and stored in the system. If an employee were to authenticate to access sensitive information on a company’s server, all the elements that pertain to this action would be recorded and stored in the Blockchain, leaving no room for interpretation in case of inquiry for IP theft.

我受够了!(“I’m done!” in Mandarin)

Industrial and corporate espionage, including IP theft, has led major corporations to bankruptcy while others at the very same time rose from practically nowhere. To quote Natalie Obiko Pearson, “Nortel was once a world leader in wireless technology. Then came a hack and the rise of Huawei.” The risk of hacking can be dramatically mitigated if the right security measures in terms of workforce identification and authentication have been deployed and if sensitive data as well as user data is stored in a Blockchain-based decentralized cloud network. At the end of the day, there is only so much that technology can do to counter ego and greed, which are the two main drivers that push people to betray their employer and country. Ego and greed have always existed … very much like spying!

“Spying has always gone on since ancient times.” Vladimir Putin

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More