On July 6, the governments of the U.S. and U.K. warned businesses of the possibility that entities sponsored by the Chinese government may attempt to steal valuable corporate intellectual property and other materials.
The threat of corporate espionage — including by state-sponsored actors — is not new. The governments’ warning, however, should serve as a reminder to organizations of their need to ensure strong cyber hygiene to protect against a variety of potential threats.
Intellectual property in danger
On July 6, the heads of two leading American and British law enforcement and security agencies — FBI Director Christopher Wray (opens a new window) and MI5 Director General Ken McCallum (opens a new window) — jointly addressed a group of business and academic professionals about what they described as the growing long-term threat from China against the interests of the two countries and their allies.
Wray and McCallum expressed particular concern about the economic and national security threats posed by Chinese state-sponsored hacking and espionage targeting valuable corporate intellectual property (IP) and research. Wray noted that China’s “lavishly resourced hacking program [is] bigger than that of every other major country combined.”
The two officials urged businesses to work with law enforcement and outside vendors to take steps to preserve IP that can be critical to gaining competitive advantages.
The FBI and MI5 directors painted a dire picture of the cyber and IP risks from China that businesses, academic institutions and other organizations face today and going forward. Underscoring the seriousness of the matter, McCallum noted that the briefing was the first-ever joint public appearance by the agencies’ two leaders.
Eight critical controls
The joint briefing highlights the need for organizations to adopt and maintain strong cybersecurity controls given the complex cyber risk landscape they face. To mitigate the effects of cyberattacks, including those intended to steal valuable and/or sensitive IP, organizations should — at a minimum — implement the following controls:
1. TIMELY SOFTWARE PATCHING. Regular, consistent patching of software can help to eliminate flaws in software as they are identified by vendors and exploited by threat actors. Organizations should establish clear procedures for receiving and deploying patch notifications that ensure vendor communications regarding critical patches are quickly reviewed — generally, within 24 hours.
2. MULTIFACTOR AUTHENTICATION (MFA). MFA should be enabled for remote access, administrator accounts and email, and require at least two authentication measures — for example, a password and token.
3. PHISHING TRAINING & AWARENESS. Promoting an organizational culture of mindfulness around cybersecurity can help to minimize the frequency of successful intrusions. Simulated phishing attacks and regular training can help to assess vulnerabilities in workforces and identify opportunities to improve risk awareness.
4. SECURITY MONITORING. Organizations can use Security Incident Event Management (SIEM) systems to collect and analyze aggregated log data. They can also address logged security events through Security Operations Centers (SOCs) consisting of people, processes and technology.
5. ENDPOINT DETECTION & RESPONSE (EDR). EDR tools can secure end-user devices, such as laptops and mobile phones, examine files as they enter networks and respond to any malicious activity or threat source.
6. ACCESS MANAGEMENT. Access to critical information, data, applications, processes and platforms should be limited and restricted to privileged accounts. Organizations can use several tools to keep privileged account credentials secure and should establish processes to periodically review such accounts.
7. NETWORK & INFRASTRUCTURE SEGMENTATION. Dividing networks into multiple segments or subnets can improve performance and provide additional security: Even if a threat actor infiltrates one segment, the chances of compromising the entire network are diminished. Particular attention should be paid to keeping valuable and/or sensitive IP in highly secure and controlled areas.
8. ROBUST BACKUP POLICIES. Critical information should be backed up at least weekly, with backups segmented and encrypted. Organizations should make use of off-site storage, with either cloud-based or physical server solutions in another secure location without a persistent connection. Although backing up critical IP cannot prevent its theft, it can ensure that such IP remains accessible to organizations.
Organizations that already have these controls in place should take the opportunity to audit them. It’s not enough for organizations to simply check the box; rather, they should consider adopting best-in-class standards.
Beyond these specific controls, organizations should seek to increase their knowledge of cybersecurity trends to which they may need to respond. Government agencies, including the FBI and Cybersecurity and Infrastructure Security Agency in the U.S. and the U.K.’s National Cyber Security Centre and Government Communications Headquarters, along with software publishers and cybersecurity vendors, also represent useful sources of information about emerging vulnerabilities.
Insurance & claims considerations
In addition to mitigating the effects of potential cyberattacks, strong cyber hygiene is also now expected by underwriters — and in fact has become a prerequisite for purchasing cyber insurance coverage.
Broadly speaking, the source of a threat — whether from a statesponsored actor, criminal network or individual hacker — is largely irrelevant. The steps potential targets should take to mitigate the effects of cyberattacks are the same regardless of from where the attacks originate.
Cyber insurance coverage is similarly designed to respond to a cyber intrusion or attack, whether it originates from a state-sponsored actor or another entity. The only significant exception is attacks resulting from war or warlike activities.
It is important to note, however, that while cyber insurance can provide valuable coverage — including for any costs required to return to operational status following an attack — the loss to an insured company of its IP is not covered under standard cyber insurance policies.
Although organizations should be mindful of the espionage risks outlined by the FBI and MI5, we expect that underwriters will continue to focus on how insureds can detect and stop cyberattacks of all types during upcoming renewal discussions.
If an organization discovers an intrusion that may be an attempt at espionage, it should immediately notify its insurer, as coverage will not respond to any costs incurred before notification. It may also be in an organization’s interest to notify law enforcement, although governments and corporate entities may have conflicting priorities. Organizations should work with their legal advisors to ensure they comply with any applicable regulations, including notification to law enforcement as appropriate.