Product developers should take note of a warning on rampant commercial espionage by China, issued by the "Five Eyes" group of national intelligence chiefs. At an unusual public meeting in the US, the group warned of the "most sustained, sophisticated and scaled theft of intellectual property (IP) and expertise in human history" making it the number one threat to innovation today, with cyber-attacks aimed at stealing IP occurring about every 12 hours.
What drew Circuitwise’s attention was the example given by Australia's ASIO director-general Mike Burgess that described the theft of hardware designs and firmware for an electronic product "similar to a motion detector" that is very typical of the kind of products we manufacture on behalf our clients.
The national intelligence chiefs of Australia, the US, UK, Canada and NZ, publicly meeting in San Francisco USA: Source FBI
According to an article published on ABC News and other media outlets, an Australian company with a globally successful product suddenly found their sales plummet when an identical but cheaper and inferior quality replica started being sold out of China. The IP theft was traced to a person offering to share information at an international who persuaded a company employee to place a USB stick in a company laptop. When connected back to the corporate network, malware was used to steal the products designs.
According to Burgess the IP was taken by Chinese intelligence services who passed the information to a state-owned enterprise that mass produced the goods and sold them on the market".
During product development, cybersecurity efforts are traditionally focused on making information gathered by products secure, particularly around compliance with government regulations on privacy. This is a complicated exercise in its own right with multiple standard that could be applicable, such as UL 2900-1 on Software Cybersecurity for Network-Connectable Products.
However, product developers should also pay close attention to ensure that malicious actors are not able to secure access to the IP that underpins their business. IP does not just mean patents, which are ultimately published. IP also cover circuit schematics, PCB layout, firmware code, mechanical designs and more.
Circuitwise recently undertook a cybersecurity audit of its working environment, engaging an external consultant to undertake an independent assessment of our security measures, including penetration testing and identification/remediation of vulnerabilities. However, the most IT secure systems in the world will not work if staff are not aware of social techniques like the example given above. Staff education and training are key.
We would encourage all product developers in Australia to include a budget for ensuring "external" cybersecurity of their business. This should include the company's own cybersecurity measures as well as an audit of any suppliers that hold critical IP on their behalf. Guidance is available from the Australian Cyber Security Centre run by the Australian Government.