Cyber-enabled Competitive Data Theft: A Framework for Modeling Long-Run Cybersecurity Consequences by Allan A. Friedman, Austen Mack-Crane and Ross A. Hammond
“Cybersecurity has become a pressing policy issue, and has drawn the attention of the national security community. Yet there is an emerging consensus among experts that one of the largest policy problems faced in cyberspace may be not a question of military threats in a new domain, but the massive exfiltration of competitive information from American companies. Economic espionage has existed at least since the industrial revolution, but the scope of modern cyber-enabled competitive data theft may be unprecedented. Much of the conversation surrounding the impact of cyber-enabled data theft has focused on how much theft is occurring today and how much this theft costs our economy today. Since data on the former (the level of theft) is extremely limited and almost certainly incomplete, efforts to estimate the latter (the present cost of theft) have suffered from both limited data and analytical approach, leading to widely varying estimates. The focus in this paper is instead on long-term consequences of cybertheft for innovative sectors of activity that are at the core of US economic success. Friedman, Mack-Crane, and Hammond conceive of the problem as one of diminished growth, rather than purloined assets. They explore the long-run implications of a world with no more (or with selectively fewer) digital secrets, examining which sectors or industries will be hurt the most or remain resilient, and which policies or technologies might be priorities for limiting economic harm in the future. The authors begin by developing a framework to unpack the concept of “cyber-enabled competitive data theft” (CCDT), which comprises many different dynamic pathways. The type of data stolen is important: even files typically seen as mundane, such as email archives, could be of great value to an attacker. The right emails can reveal a bidding strategy for a billion-dollar deal, for example. They also consider how different protection “regimes” (investments in particular forms of cybersecurity) map onto what types of information are or are not effectively protected. They detail the types of data that any firm might use to create value that are also of interest to attackers. These classes of information can be mapped to industries and sectors based on how attackers use strategic information. They then explicitly catalogue how firms suffer direct, first-order harms from data theft. In the model, we instantiate industry-specific patterns of information use related harms from theft drawn from extensive case studies, interviews, and the published literature. They then model expected long run shifts in the distribution of production and investment in innovative activity resulting from any particular pattern of harms.”