Southeast Asia Should Confront Threat of Economic Espionage

Southeast Asia’s digital transformation is unleashing a flurry of new opportunities and challenges. Across the region, governments and businesses are becoming cognizant of data protection, as cases of identity theft and credit card fraud reach new heights amidst the Covid-19 pandemic. But added to the flurry of concerns for governments is the looming challenge of state-sponsored intellectual property (IP) theft.

State-sponsored IP theft is a form of ‘economic espionage’, or the state practice of stealing commercially valuable data like IP. While the practice can be traced back to antiquity, the growing ubiquity of digital technology has made the practice more widespread, as governments industrialise their economic espionage efforts through cyber means. As an example of its scalable nature, American cybersecurity firm Cybereason reported, in early May, that hackers stole trillions of intellectual property (IP) from thirty multinational corporations across Europe, Asia, and North America. The culprit was ‘Winnti’ (also known as APT41), a prominent hacking group with a history of conducting cyber-espionage operations on behalf of the Chinese state. While this is not the first major incident attributed to allegedly China-linked hackers, the case saw one of the largest amounts of IP stolen in recent history.

State-sponsored IP theft is a persistent threat to the global economy, costing huge losses each year. The U.S. alone is estimated to lose up to US$600 billion annually. In an effort to instil a global norm against state-sponsored economic espionage, U.S. President Barack Obama and Chinese President Xi Jinping reached an understanding in 2015 that states should refrain from practising cyber-enabled IP theft for commercial purposes. This pledge was repeated by leaders at the 2015 G20 summit in Turkey.

But seven years on, evidence suggests that states continue to sponsor the theft of commercially valuable data. A cursory review of known cyber intrusions from the dataset provided by the Council on Foreign Relations, for example, indicates that the number of cases of known cyber intrusions affecting private firms has increased since 2015. There were 300 known cases of state-sponsored cyber intrusions by countries such as China, Russia, Iran and North Korea. This impacted private firms; 229 incidents were recorded to have been perpetrated since 2016. There are also many more cases appearing in developing countries, including in Southeast Asia.

The growing vulnerability of Southeast Asia’s commercial firms can be attributed to their own successes. The region is increasingly home to some of the most rapidly growing knowledge-intensive sectors in the world, making some of its commercial entities and research firms increasingly attractive targets of IP theft.

For example, between 2011 and 2018, the Bronze Mohawk hacking group, which is linked to Chinese state entities, breached commercial entities and universities in Cambodia, Indonesia, and Malaysia to steal patent chemical formulas, sensitive technologies, and trade secrets. Meanwhile, the Winnti group has been known to carry out large campaigns of systems breaches and data mining, affecting commercial entities in Malaysia, the Philippines, and Singapore.

China has also allegedly initiated cyber-espionage operations against commercial entities in projects associated with the Belt and Road Initiative. In May 2016, Fox IT discovered the ‘Mofang’ hacking group in Myanmar, targeting commercial firms that are direct competitors of Chinese firms. Meanwhile, commercial firms in Laos and Cambodia have been targeted by hackers searching for trade secrets (which are classified as intellectual property by the World Intellectual Property Organisation).

The growing vulnerability of Southeast Asia’s commercial firms can be attributed to their own successes. The region is increasingly home to some of the most rapidly growing knowledge-intensive sectors in the world, making some of its commercial entities and research firms increasingly attractive targets of IP theft. Many firms are also integral parts of an entangled labyrinth of supply chains connected to companies in advanced economies, which may be the ultimate targets of Chinese hackers.

Responding to the threat of cyber-enabled IP theft (or any other form of economic espionage) requires effort at both the international and domestic levels. At the international level, Southeast Asian governments should pursue two sets of actions.

First, Southeast Asian governments must be more willing to discuss the problem of economic espionage with foreign states and commit to norms of responsible state behaviour in cyberspace, which includes refraining from sponsoring economic espionage. States that violate these norms should be confronted with an increasingly costly set of diplomatic signals that communicate disapproval of this practice. For example, this may start with diplomatic protests. Frank discussions should then be held at the bilateral level to signal that the issue of IP theft is of increasing concern. Failure by accused states to refrain from sponsoring IP theft can then be brought up to higher levels, like multilateral forums, where governments can gather international support to pressure the accused state.

Second, Southeast Asian states should also be more vocal about responsible state behaviour at the multilateral level. They should sustain their engagement in international forums designed to address the threat of malign state behaviour in cyberspace, such as through relevant United Nations mechanisms and the Global Forum of Cyber Expertise. Not only do these kinds of dedicated forums help governments share information and best practices, but they also provide opportunities for capacity building and tapping into global expertise in cybersecurity. Moreover, Southeast Asian states should, either collectively or with other like-minded countries, be more active in promoting the norms against state-sponsored cyber-enabled IP theft in global forums such as the G20, APEC and the East Asia Summit.

Ultimately, these diplomatic efforts can only work in tandem with effective cybersecurity and IP law enforcement. As a region renowned for its diversity, Southeast Asian states face different kinds of problems in enforcing IP protection and protecting their cyberspace. Individual governments must continue to work towards improving their own cybersecurity capabilities, raise awareness about digital hygiene and IP protection, and ensure that legislation surrounding enforcement mechanisms are properly enforced. Defending against cyber-enabled IP theft is a whole-of-society effort and diplomacy is only one way to combat the threat. Considering that Southeast Asian governments are banking on rapid digital transformation for economic growth, it would be prudent to take the issue of economic espionage more seriously.

2022/179