Security as Culture
Protecting IP in the Manufacturing Industry
If you take a close look at all the many gadgets and electronic devices that fit into your daily life you’ll likely find that an exceedingly large number of them are made in China. This probably won’t surprise you, as offshore manufacturing has been a staple of the North American electronics market for almost fifty years. Beyond electronic gizmos, you’ll also find that toys, clothes, even some food products are being manufactured in low-cost foreign regions. This has been a prevailing reality for a very long time, but things are about to change.
The reshoring movement aims to bring this work home to North America, and over the last few years it’s been gaining momentum. Many companies have been moving their manufacturing operations back to North American soil in an effort to repatriate the jobs, the products, and the investments. These are all significant factors in the push to reshore manufacturing, but another more disturbing concern has been driving the movement in recent years.
The CNBC Global CFO Council is an elite group of chief financial officers from North American corporations. According to a report from early this year, of 27 members of the council, five work for organizations that have had their intellectual property stolen by Chinese companies.
In fact, intellectual property theft by Chinese companies costs the American economy roughly $300 billion per year. To make matters worse, the Chinese government has been extremely lax in dealing with the rampant violations that are being reported by North American companies operating in China. It’s a serious problem that isn’t being sufficiently addressed, and it’s a strong motivation in the movement to bring manufacturing operations back home.
For some major technology companies, intellectual property theft has resulted in significant financial damages. Giant multinational tech corporations like IBM and Hewlett Packard have been targeted in large-scale cyber attacks aimed at stealing trade secrets and intellectual property. When these companies are infiltrated decades of work and millions of dollars in investment can be undone in the blink of an eye.
Worse yet, in many of these instances the attackers remain inside the target’s digital infrastructure for years, quietly extracting information and selling it to competing companies.
In China, cyber attacks on North American corporations are rampant and not enough is being done by law enforcement or government to stop them. According to a Reuters article published in June, one such attack affected eight leading technology companies over several years and was referred to by a member of a British intelligence agency as “A sustained attack with a devastating impact.” While many of the victims have stayed quiet about the details we know that these attacks are happening and that the effects are significant.
Many experts have raised the same question – might the Chinese government be involved? Chinese officials have denied these allegations vehemently, but Mark Warner, the Democratic vice-chair of the senate intelligence committee, did not exactly slam the door on such suspicions.
“We have to increase awareness among U.S. companies, investors and universities about the tactics China is now using to undermine U.S. competitiveness, security and influence.” Whether the Chinese Government is finally involved or not, the fact remains that offshoring has become a practice that carries significant risk.
In response, North American manufacturing companies have been moving their plants back home. More and more companies are reasoning that the risk of remaining in China outweighs the increased overhead of manufacturing domestically.
Threats all over
Of course, China doesn’t have a monopoly on intellectual property theft. The same risks exist in North America, and while the US and Canadian governments seem more sympathetic to and protective of victims than the Chinese government, cyber attacks and espionage are still happening and are still a threat that needs to be addressed.
Engineering and manufacturing companies in high technology fields invest millions of dollars every year in research and development. Products go through hundreds of iterations sometimes over many years. When that product finally comes to market, the price you pay has been set so that the company can earn a return on those many years of early investment.
However, if all of the information gathered over the course of that product’s development is stolen and sold off to a rival company, that company could replicate the product and sell it at a much lower price point because it doesn’t have to bear the cost of that initial investment.
Worse yet, a bad actor with access to a company’s development data could file patents and steal the rights to the product out from under the rightful owner. To mitigate these risks, companies have been investing heavily in security.
Entry points everywhere
Traditionally, security in an industrial environment meant locks on doors, security cameras, access cards, and a good firewall to protect the internal network from the internet. Today, there are many more entry points for an attacker to choose from. Everything is connected. From all the equipment on the manufacturing floor to the doors and the lighting system. Everything is networked and everything is a potential hole for a threat actor to enter through.
So it’s not surprising, according to Statista.com, that global cybersecurity spending has risen steadily year on year from 27.4 billion in 2010 to 66 billion in 2018. This includes security hardware, software and services.
Many companies have taken to hiring Red Team firms to test their susceptibility. A red team is an elite group of professional infiltrators who will simulate an actual attack on a company’s assets. This includes attempting to physically break into buildings, steal sensitive data and hardware, access computer systems, all without alerting the company’s security team. They will then report their findings and their level of access to the company and help them shore up their weaknesses.
Bug Bounties are another approach to security that have gained steam in the last few years. Companies with large digital infrastructures and internet connect properties have been offering rewards for people who find security flaws in their systems. A number of very successful platforms have popped up to facilitate connecting these companies with bug bounty hunters. It’s a new trend in the security industry and hundreds of major manufacturers have come on board including Samsung, Tesla, and even the U.S. Department of Defense.
Both of these approaches are designed to assess the maturity of a company’s security policies and its exposure to risk. By hiring a red team firm or offering a bug bounty program, an organization can understand how at risk it is to an attack, and how it might mitigate some of the problems that exist within its infrastructure.
This is valuable information, but understanding the risk is only the first step in solving the problem. Companies, particularly those with highly sensitive intellectual property, are beginning to find that security, like safety, isn’t a checklist but a culture.
More than strong locks and cameras in every corner, organizations are learning that strong security demands a complete restructuring of policy; training for all employees; and a complete cultural shift from the top down. As more and more major tech manufacturers move their operations back home the threat of Chinese hackers becomes less immediate, but theft of trade secrets and intellectual property will not stop so long as valuable secrets exist.
A reputation that took a decade to build can be undone with a single security incident. The companies that understand this are investing heavily in defensive strategies and moving toward security as culture.