Cyber-enabled Competitive Data Theft: A Framework for Modeling Long-Run Cybersecurity Consequences

Cybersecurity has become a pressing policy issue, and has drawn the attention of the national security community. Yet there is an emerging consensus among experts that one of the largest policy problems faced in cyberspace may be not a question of military threats in a new domain, but the massive exfiltration of competitive information from American companies. Economic espionage has existed at least since the industrial revolution, but the scope of modern cyber-enabled competitive data theft may be unprecedented.

Much of the conversation surrounding the impact of cyber-enabled data theft has focused on how much theft is occurring today and how much this theft costs our economy today. Since data on the former (the level of theft) is extremely limited and almost certainly incomplete, efforts to estimate the latter (the present cost of theft) have suffered from both limited data and analytical approach, leading to widely varying estimates. The focus in this paper is instead on long-term consequences of cybertheft for innovative sectors of activity that are at the core of US economic success. Friedman, Mack-Crane, and Hammond conceive of the problem as one of diminished growth, rather than purloined assets. They explore the long-run implications of a world with no more (or with selectively fewer) digital secrets, examining which sectors or industries will be hurt the most or remain resilient, and which policies or technologies might be priorities for limiting economic harm in the future.

The authors begin by developing a framework to unpack the concept of “cyber-enabled competitive data theft” (CCDT), which comprises many different dynamic pathways. The type of data stolen is important: even files typically seen as mundane, such as email archives, could be of great value to an attacker. The right emails can reveal a bidding strategy for a billion-dollar deal, for example. They also consider how different protection “regimes” (investments in particular forms of cybersecurity) map onto what types of information are or are not effectively protected. They detail the types of data that any firm might use to create value that are also of interest to attackers. These classes of information can be mapped to industries and sectors based on how attackers use strategic information. They then explicitly catalogue how firms suffer direct, first-order harms from data theft. In the model, we instantiate industry-specific patterns of information use related harms from theft drawn from extensive case studies, interviews, and the published literature. They then model expected long run shifts in the distribution of production and investment in innovative activity resulting from any particular pattern of harms.

With this paper, Friedman, Mack-Crane, and Hammond present what they believe is the first economic framework and model to understand the long-run impact of competitive data theft on an economy by taking into account the actual mechanisms and pathways by which theft harms the victims. The initial results suggest five important conclusions:

1. The three dimensions along which the framework differentiates CCDT can all be important to model outcomes. In some cases, sector matters, in others the type of data stolen matters, and in others protection regime matters.
2. By seeing stolen data from a business process perspective, rather than a lost asset, the authors were able to understand the problem in a longer time frame. This not only avoids the challenges of short term analysis and gives us the context of equilibria, it is more extensible in a policy analysis.
3. These simulations demonstrate that different interventions will have different effects. Not only is there no ‘silver bullet,’ but some sectors will benefit from solutions that may offer no help to others.
4. The framework introduces a new way of thinking about cybersecurity that does not easily map onto existing theoretical structures or evidence. The modeling process revealed the need for further theoretical work to properly integrate the diversity of impacts the framework identifies into a model of growth.
5. This basic model is not only extensible, but can help us understand a range of critical cybersecurity policy problems. A particularly promising extension of the model would be to divide each sector into two groups: defenders and self-insurers. The defending firms spend some of their fixed capital in a one-time investment, but are less vulnerable to attacks. The remainder of the sector chooses to use their capital for growth, as before.