This article was originally published by the Council on Foreign Relations (CFR) on 16 October 2019.
Introduction
Threats to national and economic security emanating from cyberspace are all too real, but public disclosure of incidents of the theft of intellectual property (IP) is exceedingly rare. Former National Security Agency Director and the first Commander of Cyber Command Keith Alexander has labeled China’s theft of U.S. intellectual property through cyber means “the greatest transfer of wealth in history.” Few experts in the field dispute that conclusion. In November 2015, National Counterintelligence Executive William Evanina estimated that cyber-enabled economic espionage cost the U.S. economy $400 billion per year, with 90 percent of the theft originating in China.
Yet, given that few companies have ever disclosed their losses from cyber-enabled intellectual property theft, the public is left with a seeming paradox: government officials cite the prospect of devastating consequences from intellectual property and trade secret theft, but there are few public examples of companies that have been the victims of such actions. Why companies want to keep these incidents from the public is unclear. The rationale for disclosure, however, is strong. Rapid disclosure can inform defensive actions at other companies, allow the discovery of larger campaigns, and, fearing public backlash and market losses, lead to increased investment in security. The ability of companies to withhold this information reduces the incentive for companies to make adequate investments to protect it. With greater disclosure of incidents should come higher levels of investment to protect those incidents from occurring in the first place.
The Securities and Exchange Commission (SEC), the president, and Congress should all move swiftly to bring the true state of cybersecurity in the United States out into the light. The SEC should require disclosures of intellectual property thefts, allowing markets to determine their impact and incentivizing better security. For his part, the president should expand current policies on notifying victims to include sharing such incidents with the SEC and monitoring for public disclosure by the company.
Background: The State of Disclosure Laws
A hodgepodge of sector-specific laws and state-level laws govern disclosure policy. These laws are strongest for losses of consumer data and weakest on intellectual property theft. Under laws passed in all fifty states, companies are required to disclose the loss of personally identifiable information (PII). These laws have led to frequent notifications by companies of theft of credit card numbers and other PII in incidents at Target, Equifax, and Home Depot, among others. At the federal level, companies that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) must both notify individuals when covered data is lost and report the incident to the Department of Health and Human Services (HHS). That information is then made publicly available at HHS’s breach portal. While many large health insurance companies have reported significant losses, some of the largest providers, such as Aetna and UnitedHealth, have gone significant periods without reporting large breaches.
In other sectors, disclosure is required, but only to regulators; it is not made public. The Department of Defense requires defense contractors to disclose cybersecurity incidents but does not disclose these incidents to the public, nor has the department provided any data on the number or types of incidents. Similarly, the Federal Energy Regulatory Commission (FERC) requires entities it regulates to disclose cybersecurity incidents, but it protects the anonymity of the disclosing entity. In a recent incident, an unnamed power company reported a “cyber event that caused interruptions of electrical system operations.” No further information was shared.
On intellectual property theft, the SEC has issued guidance on when a publicly traded company would need to disclose an incident. The guidance requires companies to determine whether the incident will have material effects on the company’s future earnings. Thus far, however, most disclosed incidents have had physical impacts on operations and thus could not have been kept confidential anyway, such as the NotPetya incidents. Congress has not strengthened these disclosure requirements: the proposed Cybersecurity Disclosure Act would not require companies to disclose whether they had suffered a breach, but only whether their board of directors had sufficient cybersecurity expertise.
The federal government does disclose some of what it knows about incidents to victim companies. Under Executive Order 13636, Improving Critical Infrastructure Cybersecurity, the secretary of homeland security and the attorney general were directed to establish a process to notify organizations when the federal government has information indicating that they have been the target or victim of malicious cyber activity. In the six years since the order went into effect, the Federal Bureau of Investigations has taken the lead on the notification process. According to a recent report from the office of the inspector general at the Department of Justice, the order led to twenty thousand victim notifications in the first five years of the program. The identities of these victims are protected information and not disclosed to the public. The report does not clarify the sectors targeted or the types of incidents.
The Challenge: How Public Companies Avoid Disclosure
NPR and Frontline documented in an investigation they conducted in spring 2019 how companies that are victims of this threat are unwilling to publicly disclose their losses. After contacting dozens of companies, including ten that were identified as victims (along with Google) in the 2010 Aurora incident, NPR could not persuade a single company to speak on the record. According to the law firm BakerHostetler’s 2019 Data Security Incident Response Report, only 53 percent of incidents at its client companies resulted in any form of notification, mostly driven by state-level requirements to notify individuals when PII is lost. A team at the law firm Debevoise & Plimpton found that in a three-year period, only eighteen of the Fortune 100 reported any kind of cybersecurity incident.
When publicly traded companies are forced to disclose a breach under state disclosure laws for PII or protected health information (PHI), they typically conclude, as Marriott did, that the incident did not pass the threshold of materiality and thus did not need to be disclosed in their SEC filings.
SEC guidance cautions against blanket, nonspecific disclosures. But in practice, disclosures are often broad; Citi’s latest annual SEC report is a good example. The report states:
Citi has been subject to intentional cyber incidents from external sources over the last several years, including (i) denial of service attacks, which attempted to interrupt service to clients and customers, (ii) data breaches, which obtained unauthorized access to customer account data and (iii) malicious software attacks on client systems, which attempted to allow unauthorized entrance to Citi’s systems under the guise of a client and the extraction of client data.
Unlike many other companies, Citi is in fact admitting that it has suffered data breaches, but the company provides no details that could inform investors on whether the incidents will have a material impact on the future value of the company.
From an investor’s perspective, it is difficult to reconcile the idea that intellectual property is important enough for a foreign government to target and steal yet that the theft of it is somehow not material. Yet when determining whether disclosure of a cyber incident is required, corporate counsel are able to interpret SEC guidelines in such a way as to rarely force their clients to disclose. In a hypothetical scenario, a pharmaceutical company might spend $1 billion developing a new cancer drug. The formula for that drug is then stolen by a Chinese hacking unit working for the Chinese government on behalf of a state-owned enterprise. The enterprise then uses the stolen data to manufacture a generic version of the drug. An investor might reasonably conclude that the IP loss would be material and should therefore be disclosed under SEC guidance. It is difficult to understand how a company could conclude that any information a foreign government thought was worth stealing would not be material in shareholder investment decisions.
The legal industry, however, has methods of concluding that such data losses are not material. Economic espionage typically does not involve the destruction of the stolen data: in the hypothetical, the victim company still has the formula and will still be able to sell the drug in most markets. While the Chinese company may be able to manufacture the drug, they lack marketing, sales, and distribution channels and would be unable to get the stolen medication through Food and Drug Administration approval. The losses will thus likely be confined to the Chinese market (albeit the second largest in the world) and the developing world. The company’s lawyers will hire an economist to assess the financial impact to the firm from the loss of the future income from these markets; the economist will conclude that the loss is negligible. The lawyers will ensure that these conclusions are well documented in the event that the incident ever becomes publicly known, while taking steps to ensure that it does not. The policies that allow this process to unfold must be changed.
Recommendations
The overall thrust of disclosure policy should be to gain a clear understanding of cybersecurity incidents to inform investor decisions and thereby align market incentives with national security interests in improving cybersecurity to protect the nation’s intellectual property. There will always be circumstances under which disclosure of an incident will not be in the public interest. Ongoing law enforcement investigations or intelligence collection that could be compromised would be grounds for withholding disclosure. Exceptions would also need to be put in place for deception campaigns; companies with sophisticated cybersecurity programs will often allow an adversary to compromise their network but contain them in a dummy environment in order to collect information on their tools, tactics, and intentions. Disclosure could compromise these activities. In circumstances where the victim company is engaged in a deception campaign in order to glean information on adversary tactics and intent, there would need to be exceptions on disclosure for a limited time period. Thus, a middle-ground solution might borrow a policy element from Europe’s Global Data Protection Regulation, requiring early notification to regulators but forestalling a decision on public disclosure until all interests can be taken into account.
With this construct in mind, policymakers should take the following three actions.
The SEC should require disclosure for any loss of intellectual property. Investors should be able to make their own determinations on the impact to future revenues from the loss of intellectual property to competitors. Along with the disclosure of the breach, companies could also provide their own analysis of the impact. There should be exceptions for when law enforcement or intelligence considerations necessitate withholding information from the public.
The SEC should require companies to disclose specific information about their cybersecurity annually even when no major breach or theft occurred. Disclosures should include the number and type of incidents that occurred in the previous year, using the Cyber Kill Chain or similar methodology to show how close adversaries came to achieving their objective. Disclosures should also include total spending on cybersecurity and spending as a percentage of information technology spending. To bring rigor to this process, the SEC should adopt a lexicon that defines terms including event, incident, and data breach.
President Donald J. Trump should revise Executive Order 13636 to clarify reporting and victim notification requirements. Currently, the order encourages but does not require notification. The revised order should make notification to victims the default and establish a process for reviewing exceptions to that policy. The president should require the Department of Homeland Security and the FBI to issue an annual report on disclosures that details the number of notifications and provides information on the sectors that were targeted, the size of the companies, the likely motivations of the attackers, and the time from discovery to disclosure. Victim notifications should then also be shared with the regulators for that organization.
Cyber campaigns could still go undetected. This reality, however, should not serve as an excuse for not disclosing to the public and to investors the large amount of information available about how companies are being affected by cybercrime and espionage.
About the Author
Rob Knake is the Whitney Shepardson Senior Fellow at the Council on Foreign Relations (CFR). He is also a senior research scientist at Northeastern University’s Global Resilience Institute.
For more information on issues and events that shape our world, please visit the CSS website.