Economic cyber-espionage: a persistent and invisible threat

Economic cyber-espionage, state-sponsored theft of sensitive business information via cyber means for commercial gain, is an invisible yet persistent threat to national economies. As more states use cyber tools to secure economic and strategic advantages, a growing number of countries, particularly emerging economies, are vulnerable.

In response, G20 members agreed in 2015 that no country should engage in cyber-enabled theft of intellectual property (IP) for commercial gain.

That resulted in expectations that states could provide assurances that their cyberspace activities didn’t seek foreign IP for unfair economic advantage, that they could provide IP holders with a protective framework, and that they could attain a level of cybersecurity maturity for protection of IP-intensive sectors.

Unfortunately, the reality is different. The number of cyber operations targeting private forms has quadrupled since 2015. As technological capabilities become central to national power, states are increasingly seeking shortcuts to competitiveness. Cyber operations seemingly offer an effective and attractive means.

The shift in cyber-espionage to target emerging economies is evident in the data analysed by ASPI. Our first report, State-sponsored Economic Cyber-espionage for Commercial Purposes: Tackling an invisible but persistent risk to prosperity, noted that in advanced economies accounted for 60 percent of reported cyber-espionage cases in 2014. By 2020, that proportion had reversed, with emerging economies now bearing most campaigns.

Two follow-up reports, released today, shed light on how countries confront this growing threat. In State-sponsored Economic Cyber-Espionage: Assessing the preparedness of emerging economies to respond to cyber-enabled IP theft, we evaluated the readiness of 11 major emerging economies to counteract cyber-enabled IP theft: Argentina, Brazil, Colombia, India, Indonesia, Malaysia, Mexico, Peru, the Philippines, Thailand and Vietnam. They represent some of the fastest-growing innovative economies in the world. Many are rapidly expanding in knowledge-intensive sectors such as biotech, advanced manufacturing and digital services. However, the report’s findings are concerning.

Most countries in South Asia, Southeast Asia and Latin America don’t recognise cyber threats to innovation and knowledge sectors as a major issue. This stance is reflected at the political-diplomatic level, where no government of an emerging economy has weighed in on these threats to innovation. Indonesia, India and Brazil, during their G20 presidencies, refrained from including cyber-enabled IP theft on the forum’s agenda.

When authorities in South and Southeast Asia and Latin America have strengthened their capacities to investigate and prosecute IP theft cases, it’s been driven by efforts to achieve conformity with World Trade Organization standards. But most governments struggle to live up to expectations in terms of securing and respecting higher-end IP, particularly when cases involve trade secrets and sensitive business information and when threat actors are believed to operate from foreign jurisdictions.

While no economy is safe from the risk of economic cyber-espionage, some are likelier targets, and some are more prepared to withstand the threat. Defending against economic cyber-espionage is an exercise in matching a response posture with an ongoing assessment of an economy’s risk profile

In our second report, State-sponsored Economic Cyber-espionage: Governmental practices in protecting IP-intensive industries, we looked at measures that governments in various parts of the world have taken to defend their economic crown jewels and other important knowledge-intensive industries from cyber threats.

Most prominently, in October 2023 the heads of the Five Eyes’ major security and intelligence agencies appeared together in public for the first time. In front of a Silicon Valley audience, they called China out as an ‘unprecedented threat’ to innovation across the world. That was followed up in October 2024 with a public campaign, Secure Innovation, which mirrored similar efforts by European and Japanese governments.

But still, IP-intensive industries aren’t held to the same levels of protection and security scrutiny as government agencies or providers of critical infrastructure, despite accounting for the bulk of GDP growth, innovation and future employment.

Defending against economic cyber-espionage is complex. It involves defending against other states, or groups operating with their consent. These actors tend to be well resourced or insulated from consequences. At the coalface of those malicious cyber activities stand private and public companies—big and small—as well as research labs and universities. They’re the first line of defence against many cyber threats, including state-sponsored threat actors.

Governments can and must play an outsized role in shaping standards for making a country’s innovation ecosystem more cyber and IP secure. This involves strengthening domestic enforcement mechanisms. The issue must also be re-energising in forums such as the World Trade Organization, United Nations General Assembly and ministerial meetings under such organisations as the Quad and Association of Southeast Asian Nations. Interventions must focus on measures that prevent IP theft. After all, once IP is stolen, it’s stolen for good—along with all research and development investments made up to that point.

You might also like
Cyber wrap
Reaction isn’t enough. Australia should aim at preventing cybercrime
Cybersecurity: people are not the problem
Government needs to ensure Australia’s digital sovereignty
Government must take cyber threat to democracy seriously
Advancing digital sovereignty in northern Australia