Politics aside, cyber and supply chain security is an issue we should take seriously, since it can ruin our companies and our good name. We have been writing and advising about cyber and supply chain security for over a decade now.1 Of course the issue has been of great concern, but it always seems that companies are scrambling after the fact.
By now we have all had a peek at the much awaited and not so surprising intelligence report on Russian hacking.2 At its core it is infuriating, anti-climactic and, quite frankly, boring. Spying is the second oldest profession (OK, maybe the oldest) and this is just a modern version. Since the beginning of the Atomic age, the Russians have been busily at work stealing our intellectual property on weapons3 as well as commercial products. But at the top of the list, of course, are the Chinese. Since Nixon went to China, they have developed sophisticated spying and hacking4 methods that are the source of much of their phenomenal economic rise and political “independent attitude” from the rest of the world.
I wish the report had gotten more into the economic war aspect of our relationship with Russia. It was hinted at in one report on the attempts by the Russians to disseminate disinformation regarding fracking. Russia considers fracking or clean energy initiatives potential threats to their oil, gas, and chemical industries (upon which their economy is highly dependent), so mounting disinformation and creating doubt in the West about the safety and viability of fracking was a goal. But compared to what is really going on — an all-out cyber war — our response as a nation and as a business community has been pretty weak. Face it: We are at war with the largest cyber armies in the world — and not just Russia or China.5 The financial impact is far more than the overt terrorism that plagues us.
It’s the Economy, Stupid
A 21st Century War with Russia or China is not likely to be fought with guns.6 Rather it is about economics. Stealing trade secrets has been a constant activity of Russia and especially, China.
Before he left office, President Obama stated, “The Chinese have, in the past, engaged in cyberattacks directed at our companies to steal trade secrets and proprietary technology. I had to have the same conversation with President Xi. And what we’ve seen is some evidence that they have reduced, but not completely eliminated, these activities.”7 Really? Although they may seem to be hacking our country and your company a little less, it appears that they just transferred their hacking to our more vulnerable trading partners. Since the US outsources so much technology, this is not a time to become complacent.
Though you may have great security on your own servers, your suppliers and partners may be very vulnerable. Over the last few decades, more types of functions are now done by third parties. This includes IT, payroll, HR, facilities management, security, R&D, legal, accounting, sourcing and procurement, beyond the traditional customer service, logistics, and manufacturing functions. The drive to lower costs and higher margins makes this an unstoppable trend. But along with it, the risk has increased for many corporations as visibility and control have decreased. Few purchasers of outsourced services conduct and maintain vigilance over their partners’ infrastructure, technology, and employee trustworthiness. Supplier risk strategies are paramount.8
In fact, China’s growth has been fueled by the West — overtly and covertly. A report by the EPOCH Times, Murder, Money and Spies, uncovered data on how the Chinese have stolen trade secrets through cyber hacking to build the most strategic elements of their economy. No doubt there is a lot to admire about the dedicated and hardworking average Chinese citizens who have sacrificed so much to uplift their families and country. But the fact remains that since the emergence of China after the death of Mao, the US, especially, has been targeted. In fact, according to US government reports, Deng Xiaoping directed and provided funding for efforts to steal U.S. technology and sensitive economic information.9
Of course, the US is not the only injured party. In the EU, “China remains the main country of provenance from which goods suspected of infringing an IPR [Intellectual Property Rights] were sent to the EU, representing 66 percent of all products detained,” said a recent report by Black Market Watch.10
And the World Customs Organization reported that “the number of registered cases of IPR infringements by customs over the last 10 years has risen from 7,553 in 2001 to 90,473 in 2012, an increase of 1200% over a decade.”11 By various estimates this represents $455B to $650B in losses.
It is also obvious that one of Putin’s major goals is the destabilization of the EU and NATO,12 which have restricted trade with Russia.13 The Russian economy is hurting due to low oil prices and sanctions.14
The US Trade Representative has a watch list of countries where there are major violations of our product protections. Currently these are: Algeria, Argentina, Chile, China, Ecuador, India, Indonesia, Kuwait, Pakistan, Russia, Thailand, Ukraine, and Venezuela.
According to the Trade Representative’s report,
“The problems of trademark counterfeiting and copyright piracy continue on a global scale and involve the mass production and sale of a vast array of fake goods and a range of copyright-protected content pirated in various forms. Counterfeited goods include semiconductors and other electronics, chemicals, automotive and aircraft parts, medicines, food and beverages, household consumer products, personal care products, apparel and footwear, toys, and sporting goods.
Consumers, legitimate producers, and governments are harmed by trademark counterfeiting and copyright piracy. Consumers may be harmed by fraudulent and potentially dangerous counterfeit products, particularly medicines, automotive and airplane parts, and food and beverages that may not be subjected to the rigorous “good manufacturing practices” used for legitimate products. Producers and their employees face diminished revenue and investment incentives, an adverse employment impact, and loss of reputation when consumers purchase fake products. Governments may lose tax revenue and find it more difficult to attract investment because infringers generally do not pay taxes or appropriate duties, and often disregard product quality and performance.”
Note: Even though the Trade Representative emphasized hacking, a vast amount of counterfeiting is done by reverse engineering of products. Companies need to be extra vigilant, especially in the early stages — during design and strategic supplier selection, through to product launch, for starters. It is also essential to ensure you are not trading with those on the denied parties list, that you know who you are selling to, and if and when you do decide to outsource that you have legally vetted the supplier — and their suppliers. Again, supplier risk programs should be the lifeblood of your manufacturing and sourcing strategies. Then, in logistics, the issue is traceability — and depending on the product — at a serial number level from source through to the consumer.
Can You Survive This?
Although specific financial numbers are not generally reported to the public on how much is spent recovering from breaches, product recalls, and so on, our data shows it can bury small companies and severely impact the balance sheet of the large.
Companies incur many losses, such as:
1. Brand value and customer loyalty.
The event itself is bad enough. It feels like a violation and business owners take this very personally. Why me? But subsequent revelations are bound to unfold that expose the company’s internal practices — or lack thereof — and shine a light where companies don’t wish to be exposed.
In testimony before the US Congress, House Small Business Committee, Rick Snow, a small business owner from Maine, stated, “I logged into our bank account, and to my utter horror, I found that my balance was zero.” Hats off to Mr. Snow for coming forward, since many businesses are loath to speak in public about this.
Though the big companies get all the news, it is the small companies who have to shoulder a lot of the burden of our insecure world. Small businesses are the bedrock of our economy and our community and they also are the biggest target of hackers. “This was a pay day, and I was terrified that the paychecks that were issued that day would not clear. We were supporting a number of families, many of which live paycheck-to-paycheck and could not have made it without the paycheck we issued them that day,” Mr. Snow continued. “I was also very worried about our business’ reputation since a restaurant nearby had just bounced their paychecks and the company never recovered from the bad publicity they received from not making their payroll,” Snow added.15
2. Injury to customers and employees
. Consumer safety is paramount to avoid the tragic and legal consequences of bad products. Since there are virtually no legal or financial consequences for the damage done outside their own borders,16 corporations must have a strong defensive strategy. Statistics show17 that it is more than 30 days before a company even realizes they have been hacked. By then, the horse has gotten very far from the barn, and won’t be retrieved quickly, if at all.
3. Financial loss
. More to the point, The IP Commission Report has tried to quantify these losses. The report states:
The Impact of International IP Theft on the American Economy: hundreds of billions of dollars per year. The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia — more than $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impact due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is “the greatest transfer of wealth in history.”
Other financial impact includes:
- Millions of jobs. If IP were to receive the same protection overseas that it does here, the American economy would add millions of jobs.
- A drag on U.S. GDP growth. Better protection of IP would encourage significantly more R&D investment and economic growth.
- Innovation. The incentive to innovate drives productivity growth and the advancements that improve the quality of life. The threat of IP theft diminishes that incentive.
Trade secrets comprise an average of two-thirds of the value of firms’ information portfolios, and that percentage rises to 70% to 80% for knowledge-intensive industries such as manufacturing, information services, and professional, scientific, and technical services. This value, however, can be tenuous; once a trade secret is made public or is obtained by a competitor, its value may be substantially or entirely lost — a loss that may not be recoverable.18
4. Loss of shareholder value
. For large and public firms, losses can be from 2% to 8% when these breaches are announced.
- Loss of sales. Wary consumers flee. And often, the company has to offer discounts and incentives to woo customers back, reducing profits.
- Lack of business continuity. Disruption of your business activities.
- Recovery costs. The forensic teams swoop in — not a cheap affair. Firms also have to put in place reputation risk and communications teams to deal with customers, trading partners and media; and customer service staff to deal with customer issues. Firms often set up services such as credit monitoring and other services for their customers to use, so additional fees accrue.
5. Unstoppable bleeding.
Often these issues — counterfeiting, hacking and so on — go undetected for so long that it just may be too late. And small companies simply don’t have the resources to go after the bad guys. Litigation in those countries (responsible for most of the counterfeiting) is a sad affair. You may be able to shut down a plant, but they just open a new one under a new name down the road.It is a game they have become quite good at. As a result, even when counterfeiting is detected and perpetrators known, the vast majority of brand owners don’t have the resources to go after them.
Next Generation – utonomous, Smart, and Insecure
Also alarming is our new world of IoT: autonomous, driverless vehicles; remote controlled devices and many smart products that will collect proprietary information and make decisions.19 IoT breaches will continue to grow, we predict, in 2017 and beyond. (Read the IoT Security Imperative. )
To quote Wired, a “ — pair of security researchers proved beyond any doubt that car hacking is more than an action movie plot device — ” when they hacked a jeep and ran it off the road, causing a huge and important reaction by DOT and the FBI.
The Department of Transportation-National Highway Traffic and Safety Administration, and the FBI issued a public service warning, due to this demonstration, on the risks and perils of IoT and vehicle hacking.20 In the announcement they stated:
“Vehicle hacking occurs when someone with a computer seeks to gain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality. While not all hacking incidents may result in a risk to safety — such as an attacker taking control of a vehicle — it is important that consumers take appropriate steps to minimize risk. Therefore, the FBI and NHTSA are warning the general public and manufacturers — of vehicles, vehicle components, and aftermarket devices — to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”
To further quote the FBI, “Once exploited, the vulnerability allowed access to and manipulation of critical vehicle control systems; the population of vehicles potentially at risk was huge; and the likelihood of exploitation was great — ” (underlining mine).
Does this mean that I have to purchase anti-virus software for my car, washing machine and my toothbrush? It may be so. Though it may appear that I am going a little off the main theme in this article, actually, I don’t think so. Since IoT devices are, de facto, connected to the internet, they are subject to the same vulnerabilities and are accessible by the same rogues. And since consumers are downloading apps with enthusiasm, the amount of data that might be interesting to a hacker and the opportunities to get it (so many potential entry points/vulnerability points) are immense. Think of the opportunity to destabilize a society!21
Reliable. Secure. Safe. These are all words our customers, our trading partners, and even our work colleagues expect to hear when using our products, exchanging cash, sharing information and interacting with us. However, the last few years have seen a significant decrease in secure, safe or trustworthy, and an increase in the incidence of hacking and other risks.
As Abraham Lincoln said, “You cannot escape the responsibility of tomorrow by evading it today.” It seems that business, government and, well, all of us have been trying to evade the obvious with the outcome now known. Not to be negative, but it will get worse if business does not take strong action. We cannot expect government to do much on our behalf.22 They have their own problems to sort out.23 Government and businesses need to create more agile and secure systems. If we can put a man on the moon and land vehicles on asteroids deep in space, surely we have the know-how to address these issues. The question is, do we have the will?
1 See our Supply Chain Risk Management library and also read: Sorry, DropBox — Return to article text above
2 PDF: intelligence report on Russian hacking — Return to article text above
3 Smithsonian: Spies Who Spilled Atomic Bomb Secrets— Return to article text above
4 New Yotk Times: U.S. Case Offers Glimpse Into China’s Hacker Army — Return to article text above
5 See US Trade Representative website for list. — Return to article text above
6 Although it appears unimaginative minds tend to focus on guns alone.Surely defense is an issue and noted by recent Chinese hacks but the goal of hacks is more of economic destabilization and stealing trade secrets. — Return to article text above
7 Wired Magazine: Obama Curbed Chinese Hacking, But Russia Won’t Be So Easy — Return to article text above
8 For insightful report on this, my colleague Bill McBeath has written extensively on supplier risk. — Return to article text above
9 U.S. Office of the National Counterintelligence Executive: 2011 report. The efforts are official programs of the Chinese government. For example: “In its original state, Project 863 targeted seven industries: biotechnology, space, information technology, automation, laser technology, new materials, and energy. It was updated in 1992 to include telecommunications, and was updated again in 1996 to include marine technology.
The Chinese regime’s official programs to help facilitate foreign theft are not limited to Project 863, however. They also include the Torch Program to build high-tech commercial industries, the 973 Program for research, the 211 program for “reforming” universities, and “countless programs for attracting Western-trained scholars ‘back’ to China,’” according to “China’s Industrial Espionage.” Excerpt from EPOCH TIMES report. — Return to article text above
10 Svenskt Naringsliv — Black Market Watch: How Leading Companies Are Affected by Counterfeiting and IP Infringement – May, 2015. — Return to article text above
11 CT-Strategies: The World Customs Organization (WCO) Illicit Trade Report – June 2014. — Return to article text above
12 Though this link is to an article in German it can be translated with Google. This is about the money trail between Putin and the far right in the EU: Putin fördert europäische Rechtspopulisten — Return to article text above
13 Observer: Putin’s Support for Europe’s Far-Right Just Turned Lethal — Return to article text above
14 According to a recent survey by the Levada-Center, in Moscow, seventy-one percent of Russians have a “bad or very bad” opinion of the United States. In fact, Russians’ opinion of the United States is the lowest since the fall of the Soviet Union. — Return to article text above
15 See more at: House Passes Committee-Led Small Business Cybersecurity Bill — Return to article text above
16 Inside China, the government has demonstrated remarkable harshness for various food tainting scandals: Death sentences in China tainted milk case.If corporate leaders thought they might spend 10 or 15 years’ hard labor or receive a death sentence, it surely would motivate them to address faulty products. (Of course, I am not recommending this approach.) — Return to article text above
17 ChainLink PDF: Managing Cyber RisksNot Just for Big Retailers— Return to article text above
18 Covington PDF: Economic Espionage and Trade Secret Theft:An Overview of the Legal Landscape and Policy Responses:– Return to article text above
19 A Potpourri of Predictions for 2017 — Return to article text above
20 FBI PSA: Motor Vehicles Increasingly Vulnerable to Remote Exploits — Return to article text above
21 Think of this: ‘white hat’ hackers have successfully hacked airplanes, nuclear power plants and traffic light systems too. — Return to article text above
22 But there is at least some help for small business: H.R. 5064, the Improving Small Business Cyber Security Act .
— Return to article text above
23 With an executive branch that does not want to peer below the surface of the real issues in the Russian hacking. Wired report: Trump Ignoring US Intelligence Creates Risks Beyond Russian Hacking — Return to article text above
To view other articles from this issue of the brief, click here.