Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 45
Afternoon Cyber Tea with Ann Johnson 2.8.22
Ep 45 | 2.8.22

Cybersecurity & Privacy Protections

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea" with Ann Johnson, where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite. I'm Ann Johnson, and today, I'm joined by Nicola Searle. Nicola is the EPSRC Digital Economy Fellow and Senior Lecturer, associate professor, at Goldsmiths, University of London. Nicola's work is devoted to critiquing intellectual property and its role on economies, focusing on policy and management implications. She previously served as a government economist at the U.K. Intellectual Property Office, authored two Oxford University Press manuscripts on intellectual property, and prior to her academic career, she was a financial associate at Goldman Sachs in the United States and in Italy. Welcome to "Afternoon Cyber Tea," Nicola.

Nicola Searle: Thanks, Ann. It's great to be here. 

Ann Johnson: So you recently - we're going to dive right in. You recently wrote an in-depth paper about the economic and innovation impacts of trade secrets, and this is where I want to start today. So we know that the threat of outside hackers is not the only reason to implement and invest in cyber practices and solutions. And we know that a thoughtful cybersecurity approach can also protect a business's trade secrets from theft. Actually, trade secrets are one of the things that are most often targeted. So it's something we probably, as an industry, really don't talk enough about. And trade secrets can be obviously highly valuable firm assets. They can be the entire, you know, IP of the firm and the thing that's keeping the firm in business and afloat. So these threat impacts are more than just businesses that have to be targets and should be a substantial risk that businesses think about daily. Before we dive into the impact, can you share with us your definition of trade secrets and why they're so important and why they're so much more relevant today in our digital world? 

Nicola Searle: So, Ann, I think you've kind of laid out some of the initial points here that, yes, these are extremely important and valuable assets. For the definition of a trade secret - so it's a legal definition. It is valuable information. So we're talking about a firm's secrets, so the valuable information they have, that needs to meet three criteria. So the first is it has to be secret - no surprise; the second is that it has to have value from its - to secrecy; and the third is that it needs to be reasonably protected. And that third point, so the reasonable protection, is where cybersecurity is so important because, you know, we need these secrets to be protected. 

Nicola Searle: What's happened in the last, you know, really important, interesting technological advances over the last couple of decades is that we're seeing trade secrets - we're seeing more trade secrets - right? - because we have an explosion of data that we didn't really have the capability of doing before. And we're now seeing this, you know, vast amounts of data, some of which are trade secrets. They're all stored digitally, and they're so much more vulnerable as a consequence. And this is in contrast to the kind of - one of the examples I love is "Charlie and the Chocolate Factory." So that's actually based on a kind of a trade secret theft - you know, stealing the secret formula. We've moved beyond that world. We're in a digital world now where trade secrets are much more important, but they're also much more vulnerable because of that. 

Ann Johnson: Yeah. If you just think about the digital economy that we're in - right? - and the fact that data is becoming, just increasingly - it's the new currency. So I would imagine that, you know, organizations - their physical assets are becoming less important as their digital assets are becoming more important. Is that a fair statement? 

Nicola Searle: Absolutely. Yes. So we are - you know, we're in a digital economy, which is also a knowledge economy. So the kind of, you know, factories and capital goods that we used to talk about are fading in comparison to this, you know, incredibly valuable data, which you've just mentioned. And some people are calling it kind of the new oil, gold. It's a really big change in how particularly the U.S. economy functions. 

Ann Johnson: Yeah. And here in the U.S., intellectual property assets, including trade secrets, can be more than 80% of an S&P 500 company's value - so making them this attractive target. So why are trade secrets particularly vulnerable to cyberattacks? 

Nicola Searle: So in the U.S., we know that a lot of firms' value, as you just said, comes from intellectual property. And that encompasses a very wide range of intellectual property, like patents and copyright. But trade secrets are this kind of unique, valuable type of protection of a firm's assets. And that is - you know, they are underpinning the wider intellectual property system. They're underpinning the wider intellectual property of a firm because, you know, before you put something onto market, it's a prototype. And at that point, it's a trade secret. And what happens is if you lose that secrecy, you are losing a very long-term, potentially, innovation. You are losing out on a strategy that you had been thinking about for some time. So you're compromising the future of your intellectual property value. And because trade secrets lose that value if they're stolen, that means that cybersecurity attacks on trade secrets can be extremely damaging to a firm. 

Ann Johnson: Yeah. And I think you articulate it well. It's not just short-term damage. These could be your plans for your future products that you're going to bring to market even in three, five, 10 years. So that's really material to a firm. 

Nicola Searle: Exactly. Yeah. Because we - you know, sophisticated firms, the type of firms that we're talking about with long-term intellectual property strategies, really are thinking about these kind of things. But, you know, one of the things we're talking about today is that interaction with cybersecurity, which isn't always at the forefront of thinking. 

Ann Johnson: It's an interesting intersection. And I know, in your paper, you wrote that much of the emphasis is on the U.S. and EU policy debates - have been on the economic impact of trade secrets. However, this emphasis has not yet been matched by research interests, in part due to the relative - there's just a lack of data. And there's been a lack of focus. You know, one thing I really enjoyed was the article you co-wrote that said there has been a lot of hype around how important it is to protect trade secrets from theft because such espionage is allegedly so damaging to organizations. But these are just, to date, you know, theoretical claims. We haven't seen that front page article about how a trade secret theft due to cybersecurity has really significantly impacted an organization. Do you think that there's been little research because the - much, like, the onus of cybersecurity has rested on organizations themselves and governments haven't delved into this topic? 

Nicola Searle: You know, I'm a researcher working on trade secrets. So, in some ways, I'm contributing to the hype. But one of the challenges we have in understanding what's going on in this area is that firms don't want to talk about the fact that they've had a trade secret loss or they've had a cyber breach. No one wants to - really wants to go around and advertise that something, you know, negative has happened to their company. Just - you know, just saying you've lost a trade secret or just saying you've been subject to a cyberattack is also giving information to your competitors. So what we have is this kind of - sort of chicken-and-egg problem. We know there's an issue, right? We know firms are having problems with this. We know cyberattacks happen. But we don't have the kind of robust evidence that - at least, you know, sort of me thinking about this from a research perspective and an economic perspective - we don't really have the robust evidence that allows us to make, you know, substantiated to well-developed understanding of what is actually happening. And that, as you've just said - it plays into that - kind of the similar situation we see in cybersecurity. 

Nicola Searle: So firms are usually responsible for their own cybersecurity. And we know that there's a bit of tension, I think, between governments and firms on, you know, who should be responsible for some of these things that happen. And again, it's this difficult combination because firms can only invest in their cybersecurity to a certain point. You know, you need other firms in your environment to also be investing in that cybersecurity. And then when you - you know, the type of things that, like, governments could do - so if we're thinking about this from a policy perspective, a government policy perspective, the kind of things that would reduce cyberattacks are - you know, when we think about this from an economics of crime perspective - are prevention and increasing the probability people get caught if they do this. Those are both really expensive ways for a government to protect against cyberattacks. And this is why we see that kind of pushback. So it gets pushed back onto firms to have that responsibility for their cybersecurity. And this is all kind of this similar - sorry to use this - web. It's all the kind of - this intricate web of understanding, you know, we know there's problems, but getting all of these things aligned and understanding what's actually happening is a challenge. 

Ann Johnson: So one of the questions I would have then is, what do you think the role for government is in helping organizations protect their trade secrets and their intellectual property from a cyberattack? 

Nicola Searle: So intellectual property itself is what I would call a government policy, right? It's a legal system to support firms and support innovation. And there's this constant tension - and I just kind of talked about this a little bit - in when we think about cybersecurity and firms willing to talk about this. So there's this, you know, who's supposed to pay for this? And it's never quite clear because, of course, governments have a lot of demands on the public purse. So one of the things I do see - and this also stems from my own experience working in policy - is some of the things that are actually really helpful for firms are things like raising awareness. So you - you know, you raise awareness of these issues. So you get firms to think a little bit more about their cybersecurity. You get, you know, that - you get firms - so you have the IT, the cybersecurity, you have the innovators and you have your legal departments talking together. So encouraging that kind of more strategic thinking is a great way for governments to support this. Then there's also public awareness, of course. So, you know, you just kind of get people to think about this. 

Nicola Searle: It starts to become a little bit more complicated when you're talking about governments supporting specific firms and specific pieces of intellectual property, because then you start to ask questions. You know, is this an appropriate use of public funds? So I tend to think that it's better for governments to think widely about creating a healthy innovation environment, a healthy intellectual property environment, making sure that firms are supported when they go abroad, and we see all this. This is kind of what happens. So it's a - it's difficult for governments to really address this in a way that some firms, I think, would like, but also in a way that still keeps a healthy innovation system. 

Ann Johnson: I think that makes a lot of sense. I also - is there any intersection you see between things the governments are doing related to privacy and intellectual property? 

Nicola Searle: So this is one of those ones that I have been thinking about for, probably, a decade (laughter). And in some ways, I've gotten nowhere, which isn't a great answer. So when we talk about big data - so for a lot of the early discussions on big data, there was, oh, intellectual property is an issue. And it is. But the thing is, at least in sort of the U.K. and the European Union, the first thing, the first challenge, is understanding the privacy issues and understanding, yeah, whose data are we talking about? And I appreciate it's a different discussion in the U.S. for cultural and also legal reasons. 

Nicola Searle: But it's not always straightforward to understand, you know, where does one end? So where are we thinking about the consumer or the individual? And where are we thinking about the intellectual property? My suspicion is that in this area, we're going to see a lot of changes about how people think about their own data, so individuals. It's a much easier discussion if you're talking about commercial data because then you're not - you know, purely commercial data. Then you're not in the same kind of realm of having to think about the privacy. There's a lot to be understood. And I think we'll see a very different environment in this in five years, depending on how consumers in particular see this. 

Ann Johnson: Yeah. I think that makes a lot of sense. And I also think that one of the things we need to think about is the impact to innovation, the ability of organizations and countries to continue to be competitive if significant investments aren't made in protecting intellectual property. Can you share with your listeners a bit about the impact and why investing in the research is a critical - absolutely critical to global economies? 

Nicola Searle: So as an economist, I think about intellectual property as an incentive to innovate. So the intellectual property system exists to support firms who have invested time and resources in creating their innovations. And intellectual property gives them some means of protecting that information and getting some of their money back. The balance of this is that, of course, you know, innovation is crucial to lifestyles, to health. You know, when we think about some of the challenges we have in terms of the environment, innovation would be about, you know, doing things in more efficient ways. We can think of a lot of really important impacts of innovation. And so we have - yes, we need to incentivize firms. 

Nicola Searle: But we also need that to be balanced so that when firms - you know, so you have a patent, right? A patent expires. So at some point, this protection ends. And we need that information to go back into the kind of - we call it the public domain. So this information, all these innovations, then become part of kind of this wider body of knowledge so that we can stand on the shoulders of giants and create new innovations. So we need this - intellectual property really underpins this approach. But it also has that balance because we need that kind of information flows to really develop the kind of innovations that - I think, you know, the last couple of years have really underscored why we need innovation and kind of the potential we might have in the future. 

Ann Johnson: That makes perfect sense. And I think there's these broad impacts to innovation that, you know, we're just not thinking about from a cybersecurity standpoint. And I'm wondering what role you see cybersecurity and future cybersecurity investments, and just the industry talking about it - how we can help protect trade secrets? 

Nicola Searle: Well, one of the things I love about cybersecurity - I mean, when we just think about cybersecurity in and of itself - is that it is innovation, right? Like, cybersecurity is an incredibly innovative area. New ways of doing things - it's constantly evolving. And when I think about trade secrets and kind of protecting firms' ability to invest in their innovations and support their knowledge, cybersecurity really is that practical way of protecting that trade secret. So it's making sure it stays secret. And, you know, going back to that definition of trade secrecy, it's also making sure that it's meeting a legal standard. So when we think about cybersecurity investments - and this is always a challenge for firms. Like, you know, it's always difficult to kind of judge exactly - you know, I know Microsoft talks about intelligent security, right? So it's not always straightforward to intelligently decide what level of cybersecurity you need. 

Nicola Searle: But at a minimum, you know, firms should be thinking about how their cybersecurity is protecting their trade secrets and how cybersecurity is also, you know, encouraging the flow of information within the firm, right? So you know, protecting from outsider threats is one thing. But, you know, if you shut down your information too much - so again, this is balance - then you're kind of compromising the innovation within the firm because you need - you know, you need teams to be able to work across departments. You need to - people to be able to kind of benefit from the innovation that's happening, perhaps, you know, outside of their immediate environment. And that's within the firm. So cybersecurity is this, you know, really helpful tool for both protecting it, but also making sure that it's got that right balance, that we've still got that innovative, healthy ecosystem within firms. 

Ann Johnson: It makes a tremendous amount of sense. And by the way, I think as an industry, we have to put more focus here. I'm thinking about a blog. And I know you're presenting at a conference we have in Europe with Sian John... 

Nicola Searle: Yes. Yes. 

Ann Johnson: ...Who is just one of my favorite people. 

Nicola Searle: Oh, she's fantastic. Yeah. 

Ann Johnson: She is amazing. You know, we released our Microsoft Digital Defense Report recently, and one of the areas we called out was the rise in nation-state attacks and cybercrime as a service. So when we talk about economic espionage, how do you define that, and what does it going - mean today for companies in long-term, for companies and economies and that intersection with cybercrime? 

Nicola Searle: Right. So economic espionage is the theft of trade secrets to benefit a foreign entity. So it's sort of beyond mundane, domestic competition between two firms, but actually thinking about cross borders. And on one hand, this is something that we've always seen. So if you look back to the early days of the U.S., a lot of U.S. innovations built on innovations from Europe. Britain borrowed heavily from China. East Germany had a program of spying on West German innovations. You know, so that dynamic is not that new. But we are in a very, very different environment now. 

Nicola Searle: So what we have is we have - you know, nation-states, in some cases, are developing sophisticated approaches to gathering information from, you know, specific targets. And thinking about that perspective of - let's just take a U.S. firm, for example. So if you are working in a sector that is perhaps being targeted by this, then you might find your own trade secrets are being compromised. So, you know, you're getting cyberattacks looking for your own trade secrets. You might also start to find that other competitors in your area are also suffering from this. So, you know, the firm's already struggling here. And then if this goes beyond that, then you could end up with a situation where a hostile nation-state has actually managed to take enough information from their targets that they now have, you know, this incredible innovation technology advantage that they didn't have before taking the trade secrets. And then you start to talk about getting into the implication that - what that means for national security. So we have a lot of concerns for military technologies being associated with this. There were some attacks of COVID laboratory data, also, that was the theft of those secrets. And we can get into a much - kind of somewhat disconcerting environment. I think that's a slight understatement. 

Nicola Searle: But just to temper that slightly, we don't know the extent of that. We know it's a problem, but we don't know the extent. And the other thing is just because some information has been taken doesn't mean it can actually be used. So in some cases, you - you know, if you take tons and tons of files, you may not know what is valuable. You may not have the market capacity or the factories that would allow you to actually produce competing goods. So it's alarming, but at this point, it's hard to really know the extent of it. And the reason I point out that it's hard not to is that we don't want to end up in a situation where firms are panicking about the possibility that their trade secrets are being attacked by nation-states, because then we might get into a, you know, not very healthy situation where trade secrets - they're just shutting all their information flows down. I think one of my things I keep saying is this kind of balance, right? We need firms to think about a balance between the protection but also making sure that they're still, you know, concentrating on innovating. 

Ann Johnson: I think that makes perfect sense. And I think that one of the things the cybersecurity industry could do is give firms that safety net, right? 

Nicola Searle: Yes. 

Ann Johnson: Say, look, we want you focused on your core business, and we're going to help protect you so you can focus on your core business. 

Nicola Searle: Absolutely. Because we - you know, firms are - that cybersecurity is fundamental to supporting the long-term innovation of that firm. And having it done by somebody else means that those resources can instead - that - you know, that intelligence, that knowledge is going to a more productive innovation strategy. 

Ann Johnson: So we talked a little bit about regulation, and we talked a little bit about privacy. Is there anything further that you think that we could see from a regulatory standpoint that goes beyond things like GDPR that would help protect against IP and trade secret theft, that could be done at an EU level or a U.S. level or other global communities as opposed to just a single country? 

Nicola Searle: There is a lot of discussion happening on trade secrets internationally. So we have - the World Intellectual Property Organization, for example, has been doing some symposia on this. And there is a lot more discussion of trade secrets in, for example, international trade agreements. So we've seen - so the update to NAFTA, for example, included some trade secrets provisions. So we are seeing some changes in this area, and I think a lot of awareness. One of the challenges here is - and I think, going back to sort of that thinking about firms thinking about their trade secrets, thinking about their cybersecurity and their IP is perhaps a better way of doing it than having new regulations. And the reason I say that is that when we think about IP regulations, we don't always think about the cost. And so, you know, the cost of litigating, the cost of getting in disputes, it can be very expensive. 

Nicola Searle: So I would worry that if we expanded the intellectual property sort of using a kind of a data basis that we might end up creating a very expensive environment for firms to operate in. And, you know, we already see some examples of this, where firms spend a lot of time litigating each other over IP. And sometimes, it's, you know, absolutely justified. But if you look at it as a whole, it's a cost of doing business. And that isn't necessarily a good thing. The existing intellectual property framework, to me, should be able to cover a lot of this. It's the softer side that we haven't really covered. It's that awareness. It's, you know, getting firms to think about this, getting cybersecurity firms to consider this when they're doing their decision-making. 

Ann Johnson: I get that. And I think that it is the communication, the softer, the awareness side that there is risk here. I think people talk about it quietly. But I do think that people don't like to talk about it publicly because they are concerned about, you know, potentially exposing weaknesses, right? 

Nicola Searle: Exactly. Yeah. Nobody wants to admit to it (laughter). 

Ann Johnson: Makes perfect sense. Let's change topics for a bit as we wind down. Can you share a bit with our listeners about what you're working on currently? 

Nicola Searle: Oh, yes. So I have two papers that I'm working on at the moment. And one is looking at what influences - so what kind of firms are more likely to suffer from industrial versus economic espionage? And that's kind of thinking about, you know, what sector they're in. Are they more internationalized? So what that means - because as I said, you know, I'm worried that a lot of this - a lot of these things that we're thinking about are happening without a lot of robust evidence. I'm trying to fill that. The other one - and you sort of touched on this, on this paper, earlier - is I have a paper looking at the impact of a trade secret theft on the stock market price of a firm. And what's really interesting here is, yes, there are some cases where a firm announces they've had a trade secret theft and it's, you know - they've had sort of some breach. And there is this, you know, incredible negative impact on their firm price. But what's interesting is that on average, there isn't. And this is along the same lines of what we're seeing in cybersecurity. So a lot of the cybersecurity literature is also finding - and I think this is really surprising - not a massive impact. 

Nicola Searle: So we have - you know, why this is the case is a little less clear. It may be that we're thinking about these kind of things as a cost of doing business, which isn't great. But the other point is that, you know, when we think about trade secrecy loss, it's much more - you know, the stock market price may not be the only story. We might be talking about that innovation five years down that has been compromised because of this theft. So those are the two areas I'm working on at the moment. I love all things trade secrets and cybersecurity, so yeah. 

Ann Johnson: You know, one of the reasons I love doing "Afternoon Cyber Tea" is because I learn so much from my guests. And I have learned a tremendous amount in this - you know, just spending this short period of time with you in a topic I really don't know an awful lot about. You can make this - if you're in cybersecurity, you can make this assumption that everything is at risk. But you don't actually deep dive sometimes into the specific areas and the impact - right? - to the global economy. As we think about the potential, you know, really high impact this could have if cybersecurity threats continue to, you know, increase with nation states and the theft of IP and cyberespionage and economic espionage - we like to be optimistic, though, on this show. 

(LAUGHTER) 

Ann Johnson: And we like to send our listeners away with a couple of key takeaways of potentially what they should be thinking about right now or what they can do right now. What are your thoughts on that? 

Nicola Searle: So first of all, of course, I'll talk about trade secrets. So you know, I think my message is that trade secrets are important. They're valuable. And we should be using cybersecurity to protect them, but to keep it balanced. In terms of a sort of more hopeful approach, I'm really fascinated - and as a researcher, I'm allowed to say fascinated rather than worried - by the cybercrime as service. And it is, obviously, a very worrying development. One of the things I'd like to see - and I think we're not too far away from doing that - is having a better understanding of the business models and financial structures of how this cybercrime as service is working. And I think when we have a better understanding of that, we can follow the money. And that might be a way of cutting off and reducing the impact that this is having on firms. 

Ann Johnson: That makes perfect sense to me. I really, really appreciate you taking the time out of your schedule, which I know is tremendously busy, to join us today. Thank you so much. 

Nicola Searle: It was an absolute pleasure. I very much enjoyed this. Thank you. 

Ann Johnson: So I'm always fascinated by topics that we don't think about as much when we think about cybersecurity and the actual real-life impact on businesses and even global economies. And when the opportunity presented itself to interview Dr. Nicola Searle, who is an economist who focuses on intellectual property and trade secrets and that intersection with cybersecurity, I thought it was such a fascinating topic for our listeners because it's going to broaden the scope of how they think about the impact of cyber events. And I was really looking forward to this conversation. And it did not disappoint at all. It's an engaging conversation and something that is new to many people and will really open some eyes on something that should be an obvious and intuitive topic. But it's not something the cyber industry talks about every day.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft