State-sponsored economic cyber-espionage for commercial purposes: Governmental practices in protecting IP-intensive industries

Introduction

This report looks at measures that governments in various parts of the world have taken to defend their economic ‘crown jewels’ and other critical knowledge-intensive industries from cyber threats. It should serve as inspiration for other governments, including from those economies studied in State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft. Despite accounting for the bulk of GDP growth, innovation and future employment, such intellectual property (IP)-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure and critical information infrastructure (Figure 1).

Figure 1: Various layers of cybersecurity protection regimes

Source: Developed by the authors.

Since 2022, an increasing number of governments have introduced new policies, legislation, regulations and standards to deal with the threat to their economies from cyber-enabled IP theft. Most prominently, in October 2023, the heads of the major security and intelligence agencies of Australia, Canada, New Zealand, the UK and the US (also known as the ‘Five Eyes’) appeared together in public for the first time, in front of a Silicon Valley audience, and called out China as an ‘unprecedented threat’ to innovation across the world.¹ That was followed up in October 2024 with a public campaign called ‘Secure Innovation’.

There is, however, variation in how governments frame their responses. Countries such as the UK and Australia take a national-security approach with policy instruments that seek to monitor the flow of knowledge and innovation to and from specific countries (primarily China). Other countries, such as Malaysia and Finland, take a due-diligence risk approach with a focus on awareness building and providing incentives to organisations to do their due-diligence checks before engaging with foreign entities. Countries such as Japan and Singapore, by contrast, take an economic-security approach in which they focus on engaging and empowering at-risk industries proactively.

This report is the third in a compendium of three. The first report, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, published in 2022, looked at the scale, scope and impact of state-sponsored cyber-espionage campaigns aimed at extracting trade secrets and sensitive business information. The second report, State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, looks at the extent to which agreed norms effectively constrain states from conducting economic cyber-espionage and also examines the varying levels of vulnerability experienced by selected major emerging economies.

This third report complements those diagnoses by offering policymakers an action perspective based on good practices observed across the world. Various practices and examples have been selected, drawing from a multi-year capacity-building effort that included engagements in Southeast Asia, South Asia and Latin America and consultations with authorities in developed economies such as the US, Australia, Japan, Singapore and the Netherlands. Many of the practices covered in this report were presented at the Track 1 Dialogue on Good Governmental Practices that ASPI hosted during Singapore International Cyber Week 2023.

International guardrails

The issue of economic cyber-espionage² is inherently international. It’s an issue caused by malicious or negligent behaviour of other states. Accordingly, international law and norms are as critical as domestic responses in countering the threat posed. This section offers a review of the most relevant international initiatives that touch on the governance of cyberspace and the protection of IP.

Through the UN First Committee process, states have introduced a set of voluntary and non-binding norms (Figure 2). That has included the following provisions:

States should not knowingly allow their territory to be used for internationally wrongful acts; that is, activities that constitute (serious) breaches of international obligations, inflict serious harm on another state or jeopardise international peace and security.
States should not conduct or support cyber activities that damage critical infrastructure or impair the operation of critical infrastructure that provides services to the public.
States should offer assistance upon request and respond to requests to mitigate ongoing cyber incidents if those incidents affect the functioning of critical infrastructure.

Figure 2: UN norms of responsible state behaviour in cyberspace

The G20 norm complements the work of the UN First Committee, providing that:

States should not engage in cyber-espionage activities for the purpose of providing domestic industry with illegitimately obtained commercially valuable information.

The extent to which states accept that economic cyber-espionage without commercial intent is an acceptable tool of statecraft remains a live debate. In 2017, the authors of the Tallin Manual 2.0 asserted that although ‘peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so’.³ Other states, however, such as the members of MERCOSUR (the trade bloc comprising Argentina, Brazil, Paraguay, Uruguay and Venezuela [currently suspended]) and China hold the view that ‘[n]o State shall engage in ICT-enabled espionage or damages against other States’.⁴ Austria recently (2024) added to this debate, arguing that ‘cyber espionage activities, including industrial cyber espionage against corporations, within a state’s territory may also violate that state’s sovereignty.’⁵

The Budapest Convention on Cybercrime and the new UN Cybercrime Convention don’t address the theft of IP or offer mechanisms to deal with state-sponsored cyber activities.⁶ Both frameworks merely offer mechanisms for the harmonisation of legal regimes to enable states to collaborate on investigations and prosecutions of cyber-related crimes.

The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), administered by the World Trade Organization (WTO), sets minimum standards for IP protection. Article 39 provides perpetual trade-secret protection, provided that the secret is not ‘generally known or readily accessible’ to the general public, has ‘commercial value because it is a secret’, and the owner has taken reasonable precautions to protect the secret.⁷⁷ However, TRIPS doesn’t take into account any cyber-related threats to IP protection; nor does it provide dispute-settlement mechanisms to address state-sponsored or state-supported acts of theft.

Finally, there are international agreements that regulate certain technology transfers. For instance, the Wassenaar Arrangement—a voluntary export-control regime established to promote responsible transfers of conventional arms and dual-use technologies and goods—offers a list of technologies that are considered sensitive and ought to be subject of additional layers of review before being approved for export. While it doesn’t address cyber-enabled IP theft, it does regulate the trade in technologies that could facilitate such theft, such as intrusion software and surveillance tools.

However, despite the serious impact of IP theft, there’s a clear gap in current international law and norms that would otherwise offer national governments guardrails for introducing measures that would help states to prevent, deter, detect and recover from economic cyber-espionage. Therefore, the onus for protection presently lies on national governments taking ownership and responsibility within their own borders.

References

Zeba Siddiqui, ‘Five Eyes intelligence chiefs warn on China’s “theft” of intellectual property’, Reuters, 19 October 2023, online.
↩︎
‘Economic cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one state against another or by one state against a private entity. ‘Industrial or commercial cyber-espionage’ is the unauthorised collection of commercially valuable assets, through compromises of digital systems and communication channels, by one private entity against another private entity. ↩︎
Michael N Schmitt, Tallinn manual 2.0 on the international law applicable to cyber operations, 2nd edition, Cambridge University Press, 2017.
↩︎
On China, see “China’s views on the application of the principle of sovereignty in cyberspace,” United Nations, online; on Mercosur, see “Decision rejecting the acts of espionage conducted by the United States in the countries of the region,” United Nations, 22 July 2013, online.
↩︎
Przemysław Roguski, “Austria’s Progressive Stance on Cyber Operations and International Law,” Just Security, 25 June 2024, online.
↩︎
See, for instance, Brenda I Rowe, ‘Transnational state-sponsored cyber economic espionage: a legal quagmire’, Security Journal, 13 September 2019, 33:63–82.
↩︎
‘Article 39 of the Agreement on Trade-Related Aspects of Intellectual Property Rights’, World Trade Organization, online.
↩︎

About the authors

Dr Gatra Priyandita is a Senior Analyst with the Cyber, Technology and Security Program at ASPI.

Bart Hogeveen is Deputy Director, Cyber, Technology and Security Program at ASPI.

Acknowledgements

ASPI would like to thank all contributors for their analyses and insights as well as all officials from the countries we studied for this report for their feedback, insights and questions. We would also like to thank the US State Department and staff at US embassies for supporting this project.

About the report

This report is part of a capacity-building project titled ‘Strengthening national resilience against the risk of cyber-enabled theft of intellectual property’ funded by the Bureau of Digital and Cyberspace Policy, US State Department. This report is an independent assessment by ASPI, and the views contained in this report are those of the authors only. They do not necessarily reflect the views of the US or any other government.

About ASPI

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements. It is incorporated as a company, and is governed by a Council with broad membership. ASPI’s core values are collegiality, originality and innovation, quality and excellence, and independence.

ASPI’s publications—including this paper—are not intended in any way to express or reflect the views of the Australian Government. The opinions and recommendations in this paper are published by ASPI to promote public debate and understanding of strategic and defence issues. They reflect the personal views of the authors and should not be seen as representing the formal position of ASPI on any particular issue.

ASPI Cyber, Technology and Security

ASPI’s Cyber, Technology and Security (CTS) analysts inform policy debates in the Indo-Pacific through original, rigorous and data-driven research. CTS is a leading voice in global debates on cyber, emerging and critical technologies, foreign interference and issues related to information operations and disinformation. CTS has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building and internet safety, satellite analysis, surveillance and China-related issues. To develop capability in Australia and across the Indo-Pacific region, CTS has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public, private and civil-society sectors.

CTS enriches regional debate by collaborating with civil-society groups from around the world and by bringing leading global experts to Australia through our international fellowship program. We thank all of those who support and contribute to CTS with their time, intellect and passion for the topics we work on.

If you would like to support the work of CTS, contact: ctspartnerships@aspi.org.au.