Intellectual property theft is a major concern for all businesses, but especially organizations in the defense-industrial base because their IP is vital to national security. The threat of foreign adversaries penetrating domestic organizations to further their own ends has come into sharp focus over the past few years with high-profile cases like the SolarWinds supply chain attack and the indictment of a Chinese businessman for conspiring to steal General Electric’s trade secrets.
These threats are especially troublesome for small to mid-sized businesses that generally lack the cybersecurity resources to defend themselves. Thankfully, there are a growing number of resources that these businesses can leverage to safeguard their IP.
Unfortunately, threats to the defense-industrial base, or DIB, continue to grow. This year, Microsoft caught a sophisticated Chinese threat actor dubbed “Volt Typhoon” penetrating U.S. businesses in critical infrastructure to gather information and conduct espionage. This is just one of many examples of Chinese cybersecurity threats against U.S. businesses with the common goal of stealing another country’s IP to provide an economic benefit to Chinese businesses.
As the technological decoupling of the U.S. and Chinese technology ecosystems accelerates, organizations at all levels of the DIB will have to increase security to protect their intellectual property from targeted intrusion and supply chain attacks.
For an individual company, IP can make up as much as 80% of its value by some estimates. This means that a successful cyberattack resulting in IP theft could be a business-ending event, especially for small businesses. Additionally, it is estimated that IP-intensive industries support more than 45 million U.S. jobs, and that IP theft costs the U.S. economy as much as $600 billion per year, which demonstrates the scope and impact of the problem.
Thankfully, the government has started to recognize the seriousness of this threat and has taken steps to mitigate it. In January 2023, the Protecting American Intellectual Property Act was signed into law. This law aims to impose additional sanctions on non-U.S. actors engaged in IP theft, but this applies only after IP has been stolen. In June 2023, recognizing the increasing threat of cybercrime against U.S. businesses, the Department of Justice received congressional approval to establish a new national security cyber section providing additional federal resources to detect and disrupt advanced persistent cybersecurity threats targeting the DIB.
While the U.S. invests in federal resources to mitigate cyber risks, the U.S. also provides no-cost cybersecurity services to Department of Defense contractors offered through the National Security Agency. Additionally, the Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, provides various no-cost cybersecurity services to organizations such as vulnerability scanning and cybersecurity assessments (these are available for businesses outside of the DIB as well).
Finally, the DoD Cyber Crime Center has an entire division devoted to providing free support to the DIB to include cybersecurity-as-a-service capabilities and cyber resiliency analyses for cleared defense contractors. These three services are particularly valuable to small and mid-sized businesses within the DIB that often lack robust cybersecurity resources of their own.
With a surplus of resources available and countless threats looming, it can be difficult to know where to start or what to do next. Fortunately, CISA also provides excellent guidance for small businesses that also prove to be the best steps for any small to mid-sized business in the DIB.
First, ensure your organization has a designated cybersecurity person or team that can immediately prioritize four efforts:
- Ensure multifactor authentication is fully implemented to log into your IT systems, including email.
- Ensure all technology systems are patched with software updates on a recurring basis.
- Continuously back up business data, and periodically validate that backups are valid and recovery works.
- Enable data encryption on all IT assets including laptops, desktops and servers.
Second, businesses in the DIB should ensure that an incident response plan is developed, periodically reviewed and exercised. This step helps ensure that when an inevitable incident occurs, businesses can resume operations quickly and with minimal business impact. CISA provides resources on where to start with developing an incident response plan.
Third, organizations in the DIB must participate in periodic cybersecurity tabletop exercises. Again, this is a preparedness activity that ensures businesses are best prepared to recover from a cyber incident as quickly as possible to minimize impact. The Federal Emergency Management Agency provides ongoing, no-cost virtual cybersecurity tabletop exercises the DIB can and should take advantage of.
In conclusion, threats of intellectual property theft are both persistent and growing, particularly within the DIB. High-profile cybersecurity attacks such as the SolarWinds breach and the Volt Typhoon intrusions highlight the necessity for urgent action to safeguard IP — IP that forms the backbone of U.S. gross domestic product and U.S. national security.
While the government has taken measurable steps to counter these threats, companies in the DIB cannot rely on legislation and regulation alone. Thankfully, there are many resource of which companies in the DIB can take advantage to bolster their defenses and to protect their crown jewels.
Noah Rivers is a research associate at the Greg and Camille Baroni Center for Government Contracting at George Mason University. U.S. Army veteran Jimmy Benoit serves as the vice president of cybersecurity at the Public Broadcasting Service.