Not as glamorous as NSA snooping, but IP theft is a real threat

Cyber-snooping is a threat to knowledge as well as privacy. EPA/Guardian/Glenn Greenwald

While Edward Snowden sits in a Russian airport, the repercussions of the NSA scandal are being felt far and wide. But while headlines warn us about personal data and privacy, an even more sinister threat is flying under the radar - the theft of intellectual property.

Every internet user has cause to wonder how their personal data is protected or even exploited by online companies. More problematic is the large amount of relatively petty fraud experienced through the theft of passwords and other personal information. Though a relatively low-level concern for many victims, such activity is evidently very often part of quite elaborate syndicates of international organised crime.

Intellectual property theft goes even higher - often, it seems, through a shadowy mix of a business’s competitors and intelligence agencies. The top end of the spectrum may even be linked to cyber-terrorism, sabotage and cyber-warfare.

Compared to the “movie plot threats” (see Die Hard 4.0), the theft of intellectual property seems rather mundane, but the likely impact is - at least for the time being - potentially much more significant. The Adversary may indiscriminately collect research results, product designs, sales plans and data and bigger strategic plans. Good cyber-attackers achieve this without the victim even realising it has happened. Once, such concerns were mainly the preserve of flagship projects, such as when foreign governments copy major aircraft designs. Now, in the connected world of the internet where all such data is online, opportunities exist at every level of business – together with the skills for attack and a willingness to use them.

The university sector in particular presents a difficult conundrum in this regard. Universities are major generators of intellectual property. Their spin-off activities are said to be worth £3.3 billion annually to the British economy through research and researchers, they are at the cutting edge of thinking in just about every field imaginable.

Whereas most organisations with secrets to protect have controls in place, spanning people, process, technology and physical security, universities are by their nature open places. Staff and students come and go, and large numbers of others are present on campus with visiting and peripatetic roles. It would be hugely damaging to this culture to put in place the security measures which would be commonplace in a large business. Background checks would be an anathema – but many graduate students and postdocs will have access to (and perhaps be helping to manage) the valuable research in progress. The actions leading to data loss may not even require a sophisticated cyber-plan at all.

Potential targets are also relatively easy to identify: academics have public web profiles; projects are described online, often as a condition of funding. Research to be published soon shows that people working in some fields are particularly prone to falling victim to “spear-phishing” attacks. This is where an apparently personal, carefully-crafted email contains a payload designed to steal content or plant spyware on the victim’s computer. Such messages do not tend to be caught by anti-virus software because their contents are specific to the user and so cannot be recognised by a generic search for software known to be bad. Academics are vulnerable because the standard advice “do not open attachments from unknown users” doesn’t work well when receiving CVs by email from prospective research students from all over the world.

The threat is very real. The scale of the risk is much harder to judge. This makes it hard to argue for changes in behaviour, and makes investment in new security measures difficult to justify. That said, university networks do not seem to be entirely overrun with viruses, botnets and the like, suggesting that many of the security measures in place are actually quite effective. The biggest danger, perhaps, is complacency in the face of a threat that continues to grow – but close behind is the danger of inappropriate or over-reaction that would alter too profoundly the open enquiry which must characterise a university.