ATLANTISCH PERSPECTIEF
Securing Our Knowledge in an Era of Hybrid Warfare
Nina van Lanschot
In an increasingly volatile and interconnected world, safeguarding knowledge and intellectual property (IP) has become a cornerstone of national resilience. The theft of critical data has emerged as a pivotal strategy within hybrid warfare. It poses direct threats to national security, societal resilience, and economic competitiveness. To protect critical knowledge, a comprehensive approach involving regulation, awareness and international collaboration is vital.
Nation-states are increasingly resorting to IP theft. For instance through cyber espionage and insider access to undermine rival economies, gain leverage over critical infrastructure, influence cultural narratives, and secure competitive technological and military advantages. Academic institutions, government bodies, and private enterprises are all targets, albeit in different ways and sometimes for different reasons. Understanding the motives and tactics behind these activities is essential for developing effective regulations and countermeasures, and fostering awareness without inciting unnecessary fear. Alongside international public-private collaboration and intelligence sharing, these measures are vital for building societal resilience.
Dual use technologies
Whilst the motives behind data theft may appear straightforward—financial gains, technological advancement or circumventing international sanctions—they often vary, and demand tailored countermeasures. Comprehending these diverse motivations is crucial for organizations aiming to protect themselves.
A prevalent motive is economic disruption through IP theft, which accelerates an adversary’s technological development without the equivalent investment or considering ethical constraints and leaving original innovators at a strategic and financial disadvantage. Although a long-term strategy, it is aggressively pursued and combined with other hybrid warfare tactics. This frequently impacts academic institutions and tech, military, biotech, or critical infrastructure organizations, with dual-use technologies being especially vulnerable. Dual-use technologies, which could serve both civilian and military purposes, are attractive targets for state-sponsored IP theft. These technologies are used in fields like advanced semiconductors, artificial intelligence and quantum making them crucial for national competitiveness and security. What makes them extra vulnerable is that it is not always clear from the beginning that the technology is dual use, as military use may only become apparent later in the research process. Exploiting dual-use IP is used to halt or fault the innovative capacity of the victim, spurs technological development and military capabilities of the aggressor and curbs their dependence on other nations.
Bypassing sanctions
Another driver is the pursuit of resources (supplies or monetary), where access to the global market may be constrained by international sanctions. Some states resort to stealing IP from European or US based pharmaceutical companies to manufacture essential medicines domestically, thereby bypassing sanctions. These actors may bring these domestically produced medications to market in countries who do not participate in the sanctions, creating opportunities to boost their exports while securing access to medicine for their populations. North Korea, for example, has been attributed as the actor of ransomware attacks targeting U.S. healthcare facilities, and then using the ransoms paid by victims to finance its cyber-espionage operations. Such attacks disrupt organizations and may lead to inadvertent sanctions violations if ransom payments are made to sanctioned entities.
However, not all ransomware attacks are what they seem as some of these attacks, seemingly driven by financial motives, are fronts for data theft for espionage purposes. Even when ransoms are paid, stolen data can still be extracted and exploited without the victim being aware that data extraction was the goal of the operation. These operations are often executed by criminal groups acting as proxies, driven by financial or ideological motives. This underscores the blurred lines between state and non-state actors in hybrid warfare. These proxy groups can also operate in the physical domain, targeting the ports of Vlissingen and Eemshaven in the Netherlands for example as criminal groups in subversive crime as a smokescreen to create a position for espionage of NATO transports going through these harbors.
Lastly, data theft in critical infrastructure organizations can have great impact on an individual level. For example, when the electricity supply of the healthcare sector is hit or personal data at the local government is encrypted, stolen, or altered. However, a core concern is data being stolen to increase one’s information position to sabotage critical networks at a given time in the future. In these sectors Russia and China progressively join forces in their espionage efforts. While their motives differ (originally China focusing on IP theft, Russia on sabotage) Russia has developed an increased focus on IP theft due to their collaboration.
Challenges for academia
In the competitive world of academic research, sensitive knowledge or technologies can be stolen in various ways. For instance, through partnerships between universities, visiting scholars, cyber espionage, or even foreign-owned companies setting up shop on university campuses. The push for Open Science—where research findings, methods and data are shared openly for the benefit of science and society—remains a fundamental value in universities. As a result, convincing staff to follow stricter rules on collaboration and data sharing is proving to be a challenge. An individual professor not following policies could result in research findings with export control restrictions being shared with foreign actors without the necessary approval or mitigating measures. Universities are often hesitant to enforce stringent measures, fearing the loss of esteemed researchers to competing institutions. IP being stolen is not the only risk; visiting academics may also sabotage projects by altering data, hindering research and potentially changing the direction of research projects.
The risk extends beyond STEM disciplines, because humanities, law, and the social sciences are also targeted. Professors discussing sensitive topics, such as the Uyghur crisis, may face intimidation from students, while foreign academics may push for language changes that align with their national interests (e.g., replacing mentions of “Taiwan”) and academic staff being specifically targeted by disinformation campaigns to alter their worldviews. Especially China uses show of force by sending delegations to coerce students abroad into cooperation with the Chinese authorities. Knowledge institutions should be aware of this and create reporting mechanisms where their staff and students can be supported if this happens to them.
These pressures highlight the need for universities to formulate their own reasonable and pragmatic security policies, which adhere to national laws and allow them to remain an attractive (and not restrictive) employer. To avoid the waterbed effect of researchers joining the research institutions with the least strict screening and security policies, this creates an urgent need for internationally (perhaps Transatlantic) recognized “secure collaboration” frameworks that balance the demand for open, multinational cooperation with strict protocols to protect sensitive data without stifling academic freedom.
Vulnerable start-ups
A very vulnerable group that falls between the cracks of academia and businesses are start-ups. They often emerge from academic research and are doing the work of developing technological findings into a product and bringing it to market. Increasingly these companies develop civilian use technologies into dual-use technologies and do not have the risk management practices in place that you would expect companies working with these technologies to have. There has been increased focus on how these companies are funded. There is a significant difference in availability of (venture) capital (and average deal-size) between the US and the EU. For too long the assets of young technology companies (both IP and talent) leaving the EU for the US was recognized as problematic but not addressed properly, as all focus went to the prevention of Chinese funding of these companies. There are safeguards preventing foreign investment in military technologies. Therefore there should be explicit focus on the stage where these start-ups still work with ‘merely’ civilian technology avoiding foreign investors take a stake in a company just before the technology is classified as dual-use. With the increased need for European independence, European private capital institutions need to alter their risk appetite and invest in these early-stage companies developing technologies with military applications.
But it is not just their need for funding that makes these companies vulnerable. Lacking internal awareness, HR procedures, and a robust IT infrastructure make these companies a relatively easy target for cybercrime and insider risk. Reports like Mario Draghi’s The Future of European Competitiveness could, aided by major wars in the Middle East and in Ukraine, and Trumps election, be used to form a more robust strategy of innovation and economic resilience in the EU. Venture capital institutions – such as the NATO Innovation Fund – could be useful platforms to address these risks specific to start-ups and create a common transatlantic threat sharing community.
Stolen through malware
Increasingly strict security regulations, including the Digital Operational Resilience Act (DORA) for IT-security in financial institutions, the cybersecurity directive NIS II (where executives can be held personally liable for non-compliance) and the CER to strengthen the resilience of critical infrastructure, are strengthening cybersecurity defenses across the EU. As the DORA and NIS II directives go into effect and cybersecurity measures mature, threat actors are likely to seek alternative entry points into organizations. As a result, the number of employees and third-party suppliers targeted to assist in data extraction is expected to grow, further complicating the security landscape.
With the cost-of-living increasing and salaries in many sectors not catching up, combined with high levels of ressentiment, it may be easier for actors to find individuals who are willing to provide insider access to harm organizations. For example, In December 2020, two individuals were arrested in relation to a large data theft scheme at the Italian defense contractor Leonardo S.p.A. At least 10GB of confidential information (the equivalent of 100,000 files) was stolen through malware between May 2015 and January 2017. Authorities discovered that data had been exfiltrated from 33 computers and confirmed that a total of 94 corporate devices were infected with malware. Those arrested turned out to be a (third party) IT consultant and the head of Leonardo’s Cyber Emergency Readiness Team (CERT). The consultant knowingly installed the malware using a USB stick. Because of his insider position and corporate duties, he was even able to re-install multiple evolutionary versions of his malware.
The EU is of course not the only geopolitical actor that increases societal defense. China’s implementation of more stringent anti-espionage laws has resulted in the arrest of a South Korean chip engineer, intensifying the ongoing intellectual property theft dispute between China and South Korea in the semiconductor sector.
Improved awareness
Amid rising geopolitical tensions, it will be key for organizations to adopt a holistic security approach. In such an approach, risk appetite and mitigation measures are agreed on and budgeted for at board level, and deeply integrated into the organization. This means that security is not only the responsibility of the physical and IT security teams, but that there are also dedicated stakeholders within the HR-, legal-, procurement-, R&D- and other relevant departments. Security awareness among employees is key and should be handled with the care and consideration that this topic requires. This means that discussing the increase in both internal and external threats without creating distrust or an unpleasant work environment should be central. Therefore, awareness ideally is not pushed until the useful mitigating structures and processes are implemented. As a result of improved awareness, employees are increasingly willing to collaborate with employers to enhance workplace security. For example, IT monitoring solutions to prevent internal leaks are being more readily accepted by workers’ councils, enabling organizations to track employee activity in compliance with GDPR regulations.
Despite growing concerns over knowledge theft and hybrid warfare, information on the tactics of nation-states and incidents affecting organizations remain largely undisclosed, leaving many organizations vulnerable to intellectual property theft and sabotage. In his report ‘Safer Together Strengthening Europe’s Civilian and Military Preparedness and Readiness’, Sauli Niinistö, the former president of Finland, advices the EU to develop a fully-fledged intelligence cooperation service. He emphasizes the need for enhanced intelligence sharing and counter-espionage efforts to protect against threats, saboteurs, and foreign agents operating within EU member states. Although the creation of an EU intelligence service may not be likely to happen soon, improved intelligence sharing on both incidents happening and preventative measures between agencies and critical businesses should be a priority.
To protect critical knowledge, a comprehensive approach involving regulation, awareness, and international collaboration is vital. Regulation (and accountability) is effective to activate organizations and their leadership teams into action. Awareness from a societal, organizational, and individual level is key to notice tactics and, when awareness follows policy, it gives a perspective for concrete action. Governments, academic institutions, and businesses must build a shared security posture and culture, fostering an environment where innovation and open collaboration thrives while remaining resilient and secure.
Photo: Shutterstock.com / IM Imagery
Nina van Lanschot is director at Signpost Six and a member of the Peace & Security Committee of the Dutch Advisory Council of International Affairs (AIV).