55 billion euros lost annually to cyber espionage.
289,000 jobs at risk.
No workable solutions.
26,000,000,000 new devices soon to go online.
European and US officials warn that foreign governments are hacking into “everything that doesn’t move” to steal commercial secrets. Europe is securing personal information with all its might, but what about business information?
- Information like ongoing contract negotiations, customer and marketing data, product designs and R&D are commonly uploaded to the cloud already today.
- The risk of hacking is increasing exponentially as 26 billion personal devices, business and industrial equipment are about to become seamlessly connected in Industry 4.0.
- Within five years, an entire connected business can be copy-pasted, stolen and handed over to a competitor by a government-sponsored hacking group.
While all governments spy, ipso facto. But only a few do so to hand over the information to their industry. Spying is highly lucrative, especially for emerging countries.
- Verified historical data (IZA, 2017) shows the gains are substantial, equivalent of boosting exports to Europe by 30% even in the pre-internet era (ECIPE, 2017).
- Yet it is practically risk-free as government entities cannot be sanctioned under international law, and cyber espionage is undetectable in most cases.
- While Europe is one of the worst protected IT environments (Deloitte, 2016), it possesses the know-how in the sectors most attractive to emerging countries, like motor vehicles, biotech, infrastructure equipment, aerospace.
- It is estimated that 289,000 jobs could be at risk today (ECIPE, 2017). This exposure only increases with digitalisation – and by 2025, the losses is equivalent to a million jobs.
Both the United States and China have already responded to the risks by closing down their markets to each other in critical sectors. Europe is collateral damage in this conflict, and already lost market access in China over national security concerns.
- China has concluded treaties to end commercial cyber espionage with the US and its allies in the Five Eyes intelligence alliance, with considerable resources for cyber deterrence – while shunning Germany and other EU countries who are unlikely to develop such capabilities.
- The situation is untenable to Europe. At abroad, market access is increasingly limited due to new cyber security laws. At home, it is affected by cyber espionage, against which it lacks diplomatic, strategic or technical solutions to curb.
Europe will have no choice but to use the only option at its disposal: Disrupt China’s access to the Single Market to create a negotiation leverage.
- Legislative processes for EU-wide investment screening and product certification and stricter security screening of ICT vendors in some Member States are already in the works.
- Whether these measures help to secure European corporate data is secondary to the economic leverage it creates. By Europe’s moral imperative, it is China’s strategic choices that pushed the EU to the point of no return – thus, it is China’s responsibility to de-escalate the situation if it wants to keep the EU markets open for Chinese exporters.
This report stands on the shoulders of the work by CSIS, IZA, Council of Foreign Relations, the Directorate General for Safety and Security (DGV) at the Ministry of BZK of the Netherlands, and the German Federal Ministry of the Interior. The author also wishes to thank the assistance of Valentin Moreau and Nicolas Botton, as well as the invaluable comments by of Martina Ferracane, Bruno Macaes and European officials who have shared their insights.
How cyber espionage disrupts commerce
As the Asian countries have quickly caught up with the West in the ICT sector, the developed and emerging countries are ever-closer on the world’s technological frontier. Shrinking the digital divide that leads to more inclusive trade and open market competition is a thing of good – or even the ultimate goal for a free trader. However, there is more besides the free and friendly competition by legitimate means. Government interference, subsidies and protectionism have led to market distortions and inefficient allocation of resources.
As over 50% of global trade in services is enabled by ICT technologies, information technology is the modern equivalent of shipping lanes or synaptic nerves that tie any global organisation together. If technology is the enabler of economic statecraft, telecommunications and online services are its most vital assets. The cloud and next-generation broadband have already enabled online storage. Business deposit and share tactical information on ongoing contract negotiations, customer data or technical description of product designs, business processes and ongoing R&D in their networks. Moreover, all files and data available on devices, servers or workstations are universally accessible from the corporate network, and also accessible from the public internet, albeit via virtual and encrypted private networks (VPN). Practically no corporate network maintains a physical “air gap” to the internet, making access to the vital corporate information physically inaccessible from public networks.
Furthermore, even the smallest SME host their financial systems for accounting, payments and inventory online. So are business support systems for point-of-sales, marketing, R&D and operational planning used by each function of a firm. Today’s cash registers are actually PCs that are interconnected via the open networks to the head office functions, aggregating information all the way up to the chief financial officer, or the CEO, or into the customer database in the marketing department.
This corporate infrastructure makes them vulnerable to not just economic espionage and theft, but also to disruptions. Malware (which corrupts system information) still accounts for the most common type of breaches, and particularly ransomware, a type of malware like WannaCry that triggered the first intra-EU operational cooperation under the NIS directive.
On an average week of the year, one week of business disruption reduces corporate turnover by 2%. Given that the 110 largest German companies had margins of just 6.3%, three weeks of disruption is sufficient to erase the annual profit margin and shareholder dividends for a typical, publicly traded German company. Not even the crisis-resilient manufacturing companies of the German Mittelstand survive more than three weeks and five days on an average, withstanding costs for restoration of systems and data.
Today, 96.5% of all SMEs in developing economies store some form of business data digitally. A considerable amount of intellectual capital and know-how is already digitised and stored online. Europol warns that most, if not all, public-facing critical infrastructure sectors rely extensively on computer systems for many aspects of their industry. One in five industrial computers is attacked every month, and Europol observes an upsurge attributed to not common cyber-criminals but advanced persistent threat (APT) groups with a new geographic distribution – most notably in Asia (i.e. China and to a lesser degree North Korea). Although there is a risk of high impact attacks, they are almost universally becoming more prevalent each year, relying heavily on social engineering tactics such as spear-phishing to convince individuals within the target company to breach or circumvent their own IT security measures. Moreover, the manufacturing sector remained among the top 3 industries targeted by spear-phishing attacks, while the number of vulnerabilities found in industrial control systems in the world quadruped in a single year.
 UNCTAD, ICT Economy Report, 2011
 Council of the European Union, Cybersecurity – Information from the Commission, May 31, 2017
 Weber, W.W, Germany’s Midsize Manufacturers Outperform Its Industrial Giants, Harvard Business Review, August 12, 2016, accessed at: https://hbr.org/2016/08/germanys-midsize-manufacturers-outperform-its-industrial-giants
 Zurich, Potential effect on business of small and medium enterprises (SMEs) due to cybercrime in 2016, November 2016
 Europol, Internet Organised Crime Threat Assessment (IOCTA), 2017
 ibid.; Kaspersky Lab, 2017, Threat Landscape for Industrial Automation Systems in the Second Half of 2016, p10.
 Ibid.; Symantec, 2017, Internet Security Threat Report: Volume 22, p 15, April 2017
 Symantec, Internet Security Threat Report: Volume 21, p41, April 2016