• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • [email protected] Newsletter
    • Other Research
      • Future Issues And Technology (FIT)
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Cohesive Societies
    • Great Powers
    • Sustainable Security
    • COVID-19 Resources
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • [email protected] Newsletter
      • Other Research
        • Future Issues And Technology (FIT)
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Cohesive Societies
      • Great Powers
      • Sustainable Security
      • COVID-19 Resources
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • CO13083 | A National Security Imperative: Protecting Singapore Businesses from Cyber-Espionage
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO13083 | A National Security Imperative: Protecting Singapore Businesses from Cyber-Espionage
    Senol Yilmaz

    02 May 2013

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    Synopsis

    Cyber-espionage is a real and growing threat to businesses and economies. Some counter-measures can be taken by the private sector. But the government plays an important role in protecting its businesses from cyber-exploitation.

    Commentary

    OVER THE PAST few decades, Singapore’s economy has moved up from a mere producer of material goods to a creative inventor of ideas. This success stands on two main pillars: Firstly, heavy investment has been made in education as well as research and development. Secondly, the rigorous protection of intellectual property rights has reassured investors that their patents, trademarks, and trade secrets are safe and that their investments will pay out. Singapore’s innovation-friendliness is ranked in the list of the 20 most innovative countries in the world by the Economist Intelligence Unit; the World Economic Forum’s latest Global Competitiveness Report lists Singapore’s intellectual property protection regime second only to Finland’s.

    However, with the widespread and growing use of cyber-espionage, this success could be undone quickly and quietly. The vast majority of companies store their secret business information digitally, whether it is formulas, production processes, or customer lists. The advantages over paper-based storing are obvious: digital storage is more cost effective and data can be accessed more comfortably by employees. But it also means that cyber-spies who gain access to a company’s IT network can steal enormous amounts of business secrets cheaply, easily and with little risk of detection.

    A popular method of gaining illegal access is “spear-phishing”, as happened in the case of a medium-sized Swiss manufacturing company recently. The sales manager received a legitimate sounding e-mail supposedly from a potential client. He double-clicked on the attached file, assuming it contained an order. In reality, the attachment installed malware, or malicious software, on the sales manager’s computer. Subsequently, the malware opened a virtual door that allowed the perpetrator to access and search for information on the company’s computer network and allowed transferring data to the perpetrator. In this or in similar ways, companies’ innovations that may cost millions to develop can be stolen with malware that costs hundreds.

    The perpetrators in these cases are difficult to identify as they can conceal their real identity and physical location. While many states engage in political and military espionage, experts argue that Chinese organisations are especially active in economic espionage with their government at best turning a blind eye to such activities.

    The magnitude of the financial damage is extremely difficult to estimate since most firms are either not aware of breaches and theft of their secrets, or not willing to report them. One estimate puts the annual damage at USD 400 billion for the U.S.A. alone. Given Singapore’s emphasis and reliance on innovation combined with her inter-connectedness, it would be surprising if cyber-espionage did not cause substantial financial damage here.

    A Matter of National Security

    Since this City-State’s economic well-being stands partly on innovation and on being a place investors can trust, cyber-espionage is a real threat to economic success, for the innovative idea stolen today is tomorrow’s dollar lost. But this is not only an economic issue to be left to private companies to deal with: Joel Brenner, former inspector general of the U.S. National Security Agency, rightly argues that the boundary between economic security and national security has become indistinctive. Creativity and inventiveness are sources of national income which again finance strategic power. Therefore, Brenner points out that the theft of intellectual property is not merely an economic issue but a matter of national security. Consequently, governments must be active in helping businesses to counter cyber-espionage.

    What needs to be done?

    A first step to counter cyber-espionage would be information sharing about attacks suffered: Once security gaps in software applications are identified they can be closed so that cyber-spies cannot exploit the same gap to intrude other companies’ systems. However, neither private companies nor government bodies like making instances of cyber-espionage public for fear of reputational damage with citizens, customers, investors, or shareholders.

    To overcome this problem, governments have used the stick approach: The European Commission has made a proposal recently that would make it mandatory for companies operating in key business areas to report “significant” cases of cyber-espionage. However, companies will probably not be overly forthcoming with information, especially as they can rationalise that they did not assess a given case as “significant” enough.

    An example for an innovative, non-government driven approach can be found in Sweden. Swedish banks are said to have formed a closed circle of trusted partners whose IT security representatives meet and exchange information about attacks regularly. They work on a first name basis and do not know each others’ company affiliation. That way, attacks are not leaked to the media and reputational damage is averted while information is shared, software vulnerabilities closed and attacks using the same method prevented. In Singapore’s business friendly environment, a similar approach where private business takes leadership could be more readily accepted than top-down government regulation.

    This does not mean that there is no role for governments at all. Five initiatives could help alleviate the problem. Firstly, and most easily, a proverbial carrot could be offered to companies operating in key business areas through taxation: Those companies that make investments and upgrade their IT security could be given special tax breaks. Secondly, government contracts, funding and loans could be tied to predefined and continuously updated minimum IT security standards. This would be an incentive for all organisations in key business areas that vie for government money. Thirdly, best practices should be defined, constantly updated in cooperation with the private sector and actively promoted through outreach programmes. Fourthly, supply chain security is crucial: Hard and software must be purchased from trusted manufacturers that deliver products free of malware.Governments can help identify such manufacturers. Lastly, it is governments’ task to represent the interests of its private sector internationally. Since cyber-espionage is an international problem, international cooperation among partners is essential.

    Most experts agree that the threats from cyber-spies will increase in the coming years both in terms of quantity and quality. Since cyber-spies constantly search for and find new software vulnerabilities, fighting cyber-espionage resembles aiming at a moving target and will therefore be a constant struggle. The only way to keep the threat in check is to remain vigilant.

    About the Author  

    Senol Yilmaz is an Associate Research Fellow at the Centre of Excellence for National Security (CENS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University.

    Categories: Commentaries /

    Last updated on 25/09/2014

    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    Synopsis

    Cyber-espionage is a real and growing threat to businesses and economies. Some counter-measures can be taken by the private sector. But the government plays an important role in protecting its businesses from cyber-exploitation.

    Commentary

    OVER THE PAST few decades, Singapore’s economy has moved up from a mere producer of material goods to a creative inventor of ideas. This success stands on two main pillars: Firstly, heavy investment has been made in education as well as research and development. Secondly, the rigorous protection of intellectual property rights has reassured investors that their patents, trademarks, and trade secrets are safe and that their investments will pay out. Singapore’s innovation-friendliness is ranked in the list of the 20 most innovative countries in the world by the Economist Intelligence Unit; the World Economic Forum’s latest Global Competitiveness Report lists Singapore’s intellectual property protection regime second only to Finland’s.

    However, with the widespread and growing use of cyber-espionage, this success could be undone quickly and quietly. The vast majority of companies store their secret business information digitally, whether it is formulas, production processes, or customer lists. The advantages over paper-based storing are obvious: digital storage is more cost effective and data can be accessed more comfortably by employees. But it also means that cyber-spies who gain access to a company’s IT network can steal enormous amounts of business secrets cheaply, easily and with little risk of detection.

    A popular method of gaining illegal access is “spear-phishing”, as happened in the case of a medium-sized Swiss manufacturing company recently. The sales manager received a legitimate sounding e-mail supposedly from a potential client. He double-clicked on the attached file, assuming it contained an order. In reality, the attachment installed malware, or malicious software, on the sales manager’s computer. Subsequently, the malware opened a virtual door that allowed the perpetrator to access and search for information on the company’s computer network and allowed transferring data to the perpetrator. In this or in similar ways, companies’ innovations that may cost millions to develop can be stolen with malware that costs hundreds.

    The perpetrators in these cases are difficult to identify as they can conceal their real identity and physical location. While many states engage in political and military espionage, experts argue that Chinese organisations are especially active in economic espionage with their government at best turning a blind eye to such activities.

    The magnitude of the financial damage is extremely difficult to estimate since most firms are either not aware of breaches and theft of their secrets, or not willing to report them. One estimate puts the annual damage at USD 400 billion for the U.S.A. alone. Given Singapore’s emphasis and reliance on innovation combined with her inter-connectedness, it would be surprising if cyber-espionage did not cause substantial financial damage here.

    A Matter of National Security

    Since this City-State’s economic well-being stands partly on innovation and on being a place investors can trust, cyber-espionage is a real threat to economic success, for the innovative idea stolen today is tomorrow’s dollar lost. But this is not only an economic issue to be left to private companies to deal with: Joel Brenner, former inspector general of the U.S. National Security Agency, rightly argues that the boundary between economic security and national security has become indistinctive. Creativity and inventiveness are sources of national income which again finance strategic power. Therefore, Brenner points out that the theft of intellectual property is not merely an economic issue but a matter of national security. Consequently, governments must be active in helping businesses to counter cyber-espionage.

    What needs to be done?

    A first step to counter cyber-espionage would be information sharing about attacks suffered: Once security gaps in software applications are identified they can be closed so that cyber-spies cannot exploit the same gap to intrude other companies’ systems. However, neither private companies nor government bodies like making instances of cyber-espionage public for fear of reputational damage with citizens, customers, investors, or shareholders.

    To overcome this problem, governments have used the stick approach: The European Commission has made a proposal recently that would make it mandatory for companies operating in key business areas to report “significant” cases of cyber-espionage. However, companies will probably not be overly forthcoming with information, especially as they can rationalise that they did not assess a given case as “significant” enough.

    An example for an innovative, non-government driven approach can be found in Sweden. Swedish banks are said to have formed a closed circle of trusted partners whose IT security representatives meet and exchange information about attacks regularly. They work on a first name basis and do not know each others’ company affiliation. That way, attacks are not leaked to the media and reputational damage is averted while information is shared, software vulnerabilities closed and attacks using the same method prevented. In Singapore’s business friendly environment, a similar approach where private business takes leadership could be more readily accepted than top-down government regulation.

    This does not mean that there is no role for governments at all. Five initiatives could help alleviate the problem. Firstly, and most easily, a proverbial carrot could be offered to companies operating in key business areas through taxation: Those companies that make investments and upgrade their IT security could be given special tax breaks. Secondly, government contracts, funding and loans could be tied to predefined and continuously updated minimum IT security standards. This would be an incentive for all organisations in key business areas that vie for government money. Thirdly, best practices should be defined, constantly updated in cooperation with the private sector and actively promoted through outreach programmes. Fourthly, supply chain security is crucial: Hard and software must be purchased from trusted manufacturers that deliver products free of malware.Governments can help identify such manufacturers. Lastly, it is governments’ task to represent the interests of its private sector internationally. Since cyber-espionage is an international problem, international cooperation among partners is essential.

    Most experts agree that the threats from cyber-spies will increase in the coming years both in terms of quantity and quality. Since cyber-spies constantly search for and find new software vulnerabilities, fighting cyber-espionage resembles aiming at a moving target and will therefore be a constant struggle. The only way to keep the threat in check is to remain vigilant.

    About the Author  

    Senol Yilmaz is an Associate Research Fellow at the Centre of Excellence for National Security (CENS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University.

    Categories: Commentaries

    Last updated on 25/09/2014

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    CO13083 | A National Security Imperative: Protecting Singapore Businesses from Cyber-Espionage

    Synopsis

    Cyber-espionage is a real and growing threat to businesses and economies. Some counter-measures can be taken by the priv ...
    more info