The desire to steal the intellectual property (IP) of others, be they creative individuals or company teams working in patent pools to create new innovations, has not changed. Political methods have become more sophisticated in terms of devaluing the output of creative humans by creating open-source access,1 which can be taken freely by all and sundry. There was furore, for example, after an Open Access Library opened in San Francisco, California that on its own accord stocked well-known books without author permission or intention to recognise or compensate the authors with royalties. It was only when the biggest name authors threatened to sue that it took notice. This also happens with well-known inventors. The renowned British inventor James Dyson won ÂŁ4 million from Hoover, a vacuum cleaner competitor,2 for infringing a Dyson patent, but believes he would have lost the case if his company had been smaller. The other major way to deprive creative people of their rewards for original thinking and innovativeness is through cyberattack, which is on the increase globally and needs to be addressed as this book does. The theft of IP through cyberattack for whatever motivation must not be underestimated. In fact, the new âtsarsâ of the digital age such as those who founded Napster, Facebook and Google wish to have the same control or even more than the corporate capitalists they criticise when it comes to profiting from content creators and the creative process. Sean Parker who founded Napster was one of the earliest examples of someone who created software that digitally extracted the music content of CDs and allowed up to 70 million users to share it on computer networks for free. Parker knew he was breaking copyright law and stealing IP from music content creators. Eventually record companies filed a legal challenge to this blatant copyright infringement and shut Napster down in July 2001. Sean Parker had no regrets becoming a convicted corporate hacker revelling in the fact that he was the inventor of the first technology to steal IP. As shown in the film The Social Network (about Facebook), Parker was eventually appointed President of Facebook by Mark Zuckerberg, the founder of Facebook. Larry Page, the founder and CEO of Google, never had the talent to become a saxophonist or a composer of music so he moved to computer science eventually founding Google. When setting up the governance of this digital corporation Page and his partner at Google Sergei Brin, organised a two-tier stockholder system in which they had ten times the voting power of those who bought publicly offered shares. As Page explained in his first letter to shareholders, ânew investors will fully share in Googleâs long-term economic future but will have little ability to influence its strategic decisions through their voting rightsâ. The underlying philosophy seems to be that it is fine to take creative content without asking permission as Google copied the entire content of the world wide web and indexed it without asking anyoneâs permission. This all follows on from Pageâs initial creation of software to extract music content from CDs infringing copyright and stealing IP without permission from anyone.3
It is not surprising then that hackers and proponents of digital-age corporations such as Napster, Facebook and Google find the stealing of IP and denying the genuine creators of content royalties a natural course of events in the same way as those who support open access. These tendencies are related to other web-based social malaise such as not respecting the private nature of data collection or the interference in the outcomes of elections. This has led to the founder of the world wide web Sir Tim Berners-Lee to battle âdigital dystopiaâ and call for greater regulation and certain standards to be instituted. In November 2019 he proposed through his World Wide Web Foundation a Contract for the Web that would stop election interference by foreign powers, hate speech, abuse of privacy and disinformation.4
As my Managing Cyber Risk in the Financial Sector book noted, when planning to mitigate cyber risk the centre of the enquiry should not be prevention based on statistical modelling or solely on IT packages but on the human-based variables. Hackers cannot steal IP or alter GPS systems connected to ship navigation without human ignorance/error, collusion, grudges, greed, malice and geo-political imperatives. Therefore, it is important to understand not only how the technology works, such as the multi-connections of Internet of Things (IoT) devices that allow through interconnectivity so many more ways for hackers to exploit the weaknesses in so many connections to enter the cyber system, but also it is essential to understand the human motivation for the hacking. It is also crucial to look internally in an organisation to find those with a motivation to carry out cyberattacks to undermine the system without being caught. In an increasingly complex world and particularly with cyberwarfare, we must assess the motivations of the very human global players behind the cyberattacks. Likewise, in a company it is essential to train staff and customers as well as managers in SME supply chains. Those that supply goods to the larger companies are the weakest links because of their lack of human resources. Larger companies are usually the best prepared to counter cyberattack because of an abundance of resources, both human and technological due to economy of scale.
IP theft
As Mike Pompeo, the US Secretary of State noted5 in relation to the current trade problems with China, IP theft is at the heart of most cyber risk/attack problems. âChina steals intellectual property for military purposes,â he said. âIt wants to dominate AI, space technology, ballistic missiles and many other areas.â
This could not be a truer statement as my research visit in March/April 2019 to Japan for this book showed that the greatest cyber risk/attack issues revolve around IP theft. A Japanese survey that took place in 2018 and was published the following year by the prestigious Institute for International Socio-Economic Studies (IISE) showed IP theft to be highest in Japan when looking at institutional targets of cyberattack â 25% in Japan compared to 10% in Asia as a whole and 12% globally. This is why we focus on Japan in this book as IP theft is extraordinarily high. Globally, IP theft is highest in the US, the UK and Western Europe. According to this IISE survey, business interruption (BI) was the main target of cyberattacks on organisations, globally at 30%, in Asia at 27%, while in Japan at 17%. These differences are very significant for assessing the reasons why IP theft is under-studied and why its impact targets few but economically significant countries with often crippling effects. BI can also be crippling for business and government organisations but can be restored, while theft of IP cannot be regained without devastating effects for the organisation or individuals.6 Interestingly, the occurrences of targeted cyberattack for geo-political or state reasons is at 6% for Japan and Asia and 5% globally, which is much less significant compared to the media attention it receives.7 Yet, in industries such as the maritime sector or insurance, which are global in nature due to international trade, state/geo-political cyberattacks are increasing.
IP vulnerability
It is the intangible aspects of IP that makes it so vulnerable to cyber risk and attack affecting business and trade relations worldwide. It can operate at a number of levels and in all types of industries as this book will demonstrate. Levels include industry, government, military defence establishments and businesses of all sizes. The geo-political, trade sectors and finance including banking and insurance are all prey to this 21st-century digital-age menace. Some industries are more prone to IP theft, cyberattack and potential/variants of cyberwarfare, often in unexpected ways, such as shipping, national grids, defence systems and retail banking systems. Examples as in previous books are mainly from Japan, Europe and the USA but in terms of the shipping sector, for instance, it can occur anywhere in the world because of global trade routes.
Cyber risk/attack and IP theft are very broad topics that touch most aspects of our lives but often most of us are not even aware of them or the remedies for dealing with them occurring at all different levels. For example, in the insurance industry, which through underwriting should cover a wide range of cyber risk, is only now dealing with silent cyber risk. Two new London Market model clauses to help underwriters manage cyber losses have been published by the International Underwriting Association (IUA). The wordings have been developed in order to address issues of non-affirmative or âsilentâ cover, where traditional insurance policies may unintentionally suggest protection for undefined cyber risks. The importance of wordings cannot be underestimated as explained in my presentation book launch of Managing Cyber Risk in the Financial Sector in the City of London on 16 March 2016 supported by the IUA. I stated that:
Since then definitions of cyber words used in insurance documents have moved forward.8
First, a Cyber Loss Absolute Exclusion Clause (reference: IUA 09-081) provides market participants with an option to exclude in the broadest possible manner any loss arising from the use of a computer system, network or data â each of which is clearly defined. Meanwhile, a Cyber Loss Limited Exclusion Clause (reference: IUA 09-082) enables only the exclusion of losses directly caused by cyber events, rather than âdirectly or indirectlyâ.
Chris Jones, IUA director of legal and market services, said:
Both clauses were developed in response to concerns expressed by the Prudential Regulation Authority (PRA) about potentially unintended or unclear provision of coverage for cyber risks in various classes of insurance business. The issue was addressed by the regulator in a November 2016 consultation paper (âCyber insurance underwriting riskâ) and subsequent policy statement (PS 15/17). Companies were urged to actively manage their exposures by considering adjustments to premiums, robust wording exclusions and specific limits of cover.
Mr Jones added: