State-sponsored economic cyber-espionage for commercial purposes: Assessing the preparedness of emerging economies to defend against cyber-enabled IP theft

Introduction

Strategic competition is deepening existing tensions and mistrust between states and prompts nations to develop capabilities that they consider central to sovereign national power. Technological capabilities sit at the centre of this. It’s therefore not surprising that governments around the world are seeking technological advantage over their competitors and potential adversaries. In this context, safeguarding intellectual property (IP) has become necessary not just because it’s an essential asset for any modern economy—developed or emerging—but because it’s also increasingly underwriting national and regional security.

Today, middle-income countries¹ ‘World Bank country and lending groups’, World Bank, 2024, online. that are seeking to progress in the global value chain are home to vibrant knowledge-intensive sectors. Some of the world’s largest science and technology clusters are located in São Paulo and Bengaluru, for example.² Other exemplars include the biochemical industry in India, information and communication technology (ICT) firms in Malaysia and petroleum processors in Brazil. In fact, countries such as Brazil, India, Indonesia, Mexico and Vietnam have emerged as increasingly major producers of knowledge and innovation.³

Perhaps reflecting that changing reality, it’s middle-income countries that are confronted by increasing attempts to deprive them of their economic crown jewels. In our report State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to prosperity, ASPI estimated that the number of state-sponsored cyber incidents affecting private entities in Southeast Asia, South Asia, Latin America and the Middle East increased from 40% in 2014 to nearly 60% in 2020.⁴ To be clear: economic espionage isn’t new. But it’s the growing scale and intensification of economic cyber-espionage for commercial purposes—and as an integrated tool of statecraft—that is a cause for concern.

The promise of 2015

In September 2015, a bilateral summit between Chinese President Xi Jinping and then US President Barack Obama laid the foundation for an international norm against cyber-enabled theft of IP for commercial gain. The joint communique produced at the end of the summit highlighted that China and the US had reached an understanding not to ‘conduct or knowingly support cyber-enabled theft of IP, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors’. This—critically—recognised a distinction between hacking for commercial purposes and hacking for national-security purposes. Building on that apparent progress, the 2015 G20 Antalya leaders’ communique on ICT-enabled theft of IP established bounds for responsible state behaviour in cyberspace—what was described at the time as a landmark moment.

However, the promise of that seemingly historic moment has not been realised since. Rather than seeing this practice stop, cyber-enabled theft of IP quadrupled between 2015 and 2023. Higher barriers to market access across China, the US and Europe—the result of tit-for-tat behaviour seeking to bolster local technological capabilities, reduce dependence on high-risk vendors, achieve greater strategic autonomy and/or counter unfair advantage—have combined to incentivise irresponsible behaviour by malign states.

China’s and the US’s adherence was always going to be critical to the continued strength and legitimacy of any international norm against cyber-enabled economic espionage. However, bilateral relations between Beijing and Washington devolved in the period after 2015. During the first Trump administration, the US drew a clearer connection between economic and national security. That included explicitly calling out in 2020 China’s theft of American technology, IP and research as a threat to the safety, security and economy of the US. The Trump administration also established the China Initiative, which investigated and prosecuted perceived Chinese spies in American research and industry. While the Biden administration closed the China Initiative, it has continued efforts to protect American IP. That includes through the passing of the Protecting American Intellectual Property Act of 2022, which empowers the US President to sanction entities seen to benefit from or sponsor trade-secret theft.⁵

For its part, China may never have intended to uphold its commitment to the norm over the long term. China may have endorsed a commitment against economic cyber-espionage as a strategic move to accelerate domestic initiatives, such as rooting out corruption in the People’s Liberation Army and refining Chinese hacking methods to be more sophisticated and less conspicuous.⁶⁶ Alternatively, the lack of a clearly articulated distinction between hacking for competitive advantage and hacking for national-security purposes under Obama and Xi’s agreement may have contributed to the current situation. In any case, the threat of economic cyber-espionage continues to spiral rapidly, increasingly affecting emerging economies as well.

Emerging economies in the Global South, including members of the G20, have been the most vulnerable to that backsliding. India, Vietnam and Brazil have become important and impactful IP-producers, but their means to protect that innovation have lagged—unfortunately creating an expanded attack surface without the commensurate resilience. Still coming to terms with the scope and nature of the threat, they and other similar governments have so far introduced higher-end requirements and support arrangements for their own systems, and for operators of critical infrastructure and critical information infrastructure. However, most other industries—even when they’re substantial contributors to national GDP, high-value IP holders and the enablers for economic advancement—have been left out.

Building capacity to defend against cyber-enabled theft of IP

This report is a first-ever analytical exercise that examines the vulnerability of emerging economies in the face of economic cyber-espionage. It’s a culmination of two years of research and stakeholder engagement across the Indo-Pacific and Latin America. The focus has been on investigating perspectives on the threat of economic cyber-espionage and the degree to which major emerging economies are prepared to respond. The first of the three reports in the compendium—published in late 2022—examined state practices of cyber-enabled theft of IP. It found that, since 2015, the number of reported cases of economic cyber-espionage had tripled. Further, it found that the scale and severity of incidents had grown proportionally with the use of cyber technology as a tool of statecraft for securing economic and strategic objectives.

This specific report is the second in the compendium of three. It considers Chinese and US perspectives in the first instance—recognising their criticality to the effectiveness of any international norm. It goes on to assess the level of vulnerability across Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. This is because it’s those economies in South Asia, Southeast Asia and Latin America that are experiencing some of the world’s most rapid knowledge and innovation production. Each country has been assessed and given a risk label indicating its vulnerability based on a diagnostic tool developed by ASPI.

The third of the three reports in the compendium goes beyond analysing the problem. Through a mapping of responses, it identifies and presents a capture of best practice. The purpose is to support vulnerable states in defending their economic ‘crown jewels’—that is, critical knowledge-intensive industries. It offers a capacity-building checklist intended to help policymakers make sense of the cyber-threat landscape and respond to protect private entities from economic cyber-espionage.

References

‘World Bank country and lending groups’, World Bank, 2024, online. ↩︎
‘Science and technology cluster ranking 2023’, World Intellectual Property Organization (WIPO), online.
↩︎
‘2023 Global Innovation Index’, WIPO, online.
↩︎
Gatra Priyandita, Bart Hogeveen, Ben Stevens, State-sponsored economic cyber-espionage for commercial purposes: tackling an invisible but persistent risk to
prosperity, ASPI, Canberra, 2022, online. ↩︎
‘Protecting American Intellectual Property Act of 2022’, US Congress, online. ↩︎
Jack Goldsmith, ‘US attribution of China’s cyber-theft aids Xi’s centralization and anti-corruption efforts’, Lawfare, 21 June 2016, online. ↩︎

About the authors

Dr Gatra Priyandita is a Senior Analyst with the Cyber, Technology and Security Program at ASPI.

Bart Hogeveen is Deputy Director, Cyber, Technology and Security Program at ASPI.

Contributors

Dr. Juan Manuel Aguilar, Postdoctoral Research Fellow, National Autonomous University, Mexico; Dr Jessada Burinsuchat, independent researcher; Johan Caldas, lawyer, Observatorio Legislativo Compás; Maria Angelica Castillo, Cyber Intelligence Consultant, Telefonica Tech; Urmika Deb, former researcher at ASPI; Janitra Heryanto, former research assistant at the Centre for Digital Society, University of Gadjah Mada; Mark Manantan, Director of Cybersecurity and Critical Technology at Pacific Forum; Nguyen The Phuong, PhD candidate at the Australian Defence Force Academy; Perdana Karim, researcher at the Centre for Digital Society, University of Gadjah Mada; Dr Maria Pilar Llorens, Lecturer in International Public Law, Universidad Nacional de Cordoba; Dr Danielle Jacon Ayres Pinto, Assistant Professor, Santa Catarina Federal University; Dr Teesta Prakash, former analyst at ASPI; Treviliana Putri, researcher at the Centre for Digital Society, University of Gadjah Mada; Farlina Said, Senior Analyst at ISIS Malaysia; Ben Stevens, former research intern at ASPI.

Acknowledgements

ASPI would like to thank all contributors for their analyses and insights as well as all officials from the countries we studied for this report for their feedback, insights and questions. We would also like to thank the US State Department and staff at US embassies for supporting this project.

About the report

This report is part of a capacity-building project titled ‘Strengthening national resilience against the risk of cyber-enabled theft of intellectual property’ funded by the Bureau of Digital and Cyberspace Policy, US State Department. This report is an independent assessment by ASPI, and the views contained in this report are those of the authors only. They do not necessarily reflect the views of the US or any other government.

About ASPI

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally. ASPI’s sources of funding are identified in our annual report, online at www.aspi.org.au and in the acknowledgements section of individual publications. ASPI remains independent in the content of the research and in all editorial judgements. It is incorporated as a company, and is governed by a Council with broad membership. ASPI’s core values are collegiality, originality and innovation, quality and excellence, and independence.

ASPI’s publications—including this paper—are not intended in any way to express or reflect the views of the Australian Government. The opinions and recommendations in this paper are published by ASPI to promote public debate and understanding of strategic and defence issues. They reflect the personal views of the authors and should not be seen as representing the formal position of ASPI on any particular issue.

ASPI Cyber, Technology and Security

ASPI’s Cyber, Technology and Security (CTS) analysts inform policy debates in the Indo-Pacific through original, rigorous and data-driven research. CTS is a leading voice in global debates on cyber, emerging and critical technologies, foreign interference and issues related to information operations and disinformation. CTS has a growing mixture of expertise and skills with teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building and internet safety, satellite analysis, surveillance and China-related issues. To develop capability in Australia and across the Indo-Pacific region, CTS has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public, private and civil-society sectors.

CTS enriches regional debate by collaborating with civil-society groups from around the world and by bringing leading global experts to Australia through our international fellowship program. We thank all of those who support and contribute to CTS with their time, intellect and passion for the topics we work on. If you would like to support the work of CTS, contact: ctspartnerships@aspi.org.au.