State-sponsored economic cyber-espionage for commercial purposes on the rise

State-sponsored and cyber-enabled theft of intellectual property is on the rise as countries employ all means at their disposal to gain advantages in a global environment increasingly shaped by strategic rivalry and political mistrust. This is a conclusion we reach in our new ASPI report, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity.

Economic cyberespionage refers to the practice of some states of tasking or encouraging their national cybersecurity and intelligence agencies to use information and communications technology to conduct, sponsor or condone campaigns to steal assets of economic value from businesses in other nations and provide that IP to domestic firms.

It’s not only the increase in the scale, geographical spread and severity of campaigns of state-sponsored economic cyberespionage that’s worrying. The lack of international cooperation and political priority devoted to this practice will affect the competitiveness of high-performing and job-generating local industries, and by consequence nations’ future prosperity.

While a G20 agreement in 2015 that committed members not to conduct or support such theft led to a temporary dip, this form of cyberespionage hasresurged to pre-2015 levels and tripled in raw numbers between 2017 and 2022.Strategic competition has clearly spilled into the economic and technological domains and states have become more comfortable with and capable of using offensive cyber capabilities.

Our assessment is based on publicly recorded incidents. Given the clandestine and invisible nature of these acts, and the lag in time before the effects of IP theft are noticeable and disclosed or reported, there’s reason to believe that the real scale, spread and severity are even higher.

While only around 40 state-sponsored cyberespionage operations were reported between 2014 and 2016, hundreds of cases have occurred since then. And although not all of these cases are likely to be cases of economic cyber-espionage, campaigns that specifically target private-sector entities make up a noticeable share of all known cyberespionage operations from 2017 onwards.

Most of the cases occur in advanced economies, but private entities in Northeast Asia, Southeast Asia, South Asia and the Middle East are being increasingly targeted and affected. As companies and research institutes in other parts of the world become larger, wealthier, more innovative and more integrated into global supply chains, they also become targets of IP theft. For instance, incidents affecting and targeting private entities in Southeast Asia rose from 3.6% in 2014 to 15.4% in 2020. Similar trends can be observed in South Asia (6.4% in 2014 to 7.3% in 2020) and Latin America (3.6% in 2014 to 7.3% in 2020).

Addressing this invisible but persistent threat to economic competitiveness and prosperity first requires awareness before governments can start to acknowledge and recognise the nature of the risk. This could be enabled through more rigorous and specific assessments of the impact of lost IP on national economies in terms of financial costs, jobs and industry competitiveness. Also, national cybersecurity authorities and intelligence agencies could invest more in efforts to determine the scale and severity of state-sponsored economic cyber-espionage in their territory.

So far, only US and European authorities have published such assessments, and even those are already more than five years old. Most emerging economies in Southeast Asia, South Asia, the Middle East and North Africa appear to be increasingly affected, but governments there are yet to acknowledge and recognise the true risk.

The focus of most legislative initiatives is currently geared towards adding strengthened cybersecurity reporting requirements for providers of critical infrastructure and critical information infrastructure. This is important, but our report shows that industries that develop and commercialise high-value IP in the form of IP rights, trade secrets and sensitive business information equally require attention from policymakers. Ideally, governments would map those economic sectors and bring those industries or companies into the vault of arrangements for additional government protection in case they happen to be targeted by foreign states.

At the international level, members of the G20 and the broader UN membership should continue to raise and address the threat of economic cyber-espionage in relevant forums. Even in situations in which there’s no acceptance of state responsibility for acts of cyber espionage, the authorities have a responsibility to ‘not knowingly allow their territory to be misused’ and to ‘not support ICT-enabled theft of intellectual property’. Those are agreed norms of responsible state behaviour in cyberspace and align with World Trade Organization obligations to provide minimum standards of IP protection.

In this light, we recommend that G20 members reaffirm their 2015 commitment to refrain from economic cyber-espionage for commercial purposes. We also suggest that the G20 initiate further work in developing concrete guidance for the operationalisation and implementation of that agreement.

In addition, we suggest that national IP and cybersecurity authorities assess the scale and impact of ICT-enabled theft of IP on their economies, and bring industries or companies into the vault of arrangements for additional government protection in case they happen to be targeted by foreign states.

Australia, despite a track record in innovation and current ambitions in cybersecurity resilience, currently lacks such an estimate and arrangements.