Protect and survive. Survive and thrive

In the face of cyber crime and theft of intellectual property, how can our government, business and industry protect the digital economy? The New Statesman brought some leading voices together to find out

Sign Up

Get the New Statesman's Morning Call email.

Baroness (Lucy) Neville-Rolfe has been minister for intellectual property only since July but she is already well versed in the numbers that go with this particular policy patch. Creative industries contribute 1.6 million jobs to the UK economy, she notes, and IP-intensive industries represent 37 per cent of the country’s GDP. “Britain has to compete on the world stage and we have to use the brains of our people and the strength of our education.”

 Neville-Rolfe – whose career spans the civil service, the prime minister’s policy unit, a 16-year stint at Tesco supermarket in a variety of executive positions, and now minister and member of the House of Lords – was speaking at a New Statesman round-table debate last month, convened in partnership with the Federation Against Software Theft (Fast).

The title of the discussion, mirrored by the title of this supplement, was Cyber Crime and IP Theft: Protecting the Digital Economy, and Neville-Rolfe believes progress has been made. She pointed to the creation the Police IP Crime Unit (Pipcu), an overhaul of copyright law, a reformed IP Enterprise Court and “a much-improved legal framework, both civil and now criminal”. However, she admitted there was much more to do. She described cyber crime as a “real threat to national security” and on IP theft, she said: “We know what it takes to protect our interests and we are alert to the needs and opportunities, but I believe passionately that we’ve got more to do.”

Size of the IP problem

 So what is the extent of the issue she is looking to address? The Cabinet Office’s Office of Cyber Security and Information Assurance agency estimates that cyber crime costs the UK economy £27bn a year. Of that, IP theft accounts for a third. Estimates are useful but calculating the impact of any grey or black market is notoriously difficult.

 As Neville-Rolfe pointed out: “Academics tend to come up with one set of figures and industry tends to come up with another, larger set of figures.”

 Putting a price on intellectual property theft is especially difficult, as any calculation which suggests that the retail value of illegally obtained software, music or film is equivalent to lost revenue is misleading. Some of those who have accessed illegal material would never have been purchasers in any case, while others go on to buy a legal version latterly, contributing to the digital economy rather than damaging it. Studies, including one from the European Commission Joint Research Centre in 2013, have shown this to be the case with music downloads.

Even the mighty Microsoft tacitly acknowledges the possible benign effects of piracy. In 2007, its business group president Jeff Raikes said: “If they’re going to pirate somebody, we want it to be us rather than somebody else.”

So while there is a discussion to be had about the morality – and criminality – of IP theft, assessing the direct impact on the digital economy is not a straightforward task. Alex Hilton, chief executive of Fast, accepted the broad point but insisted that an argument about numbers missed the bigger picture. “It’s not just about the big guys [like Microsoft],” he said. Rather, it’s about “the long-tail of smaller developers who need to be more aware of some of the IP challenges. A lot of these guys are doing what they can just to keep the lights on . . . We’re saving these businesses. That may sound trite but it is a genuine impact we’re having.”

Hilton’s colleague Julian Heathcote Hobbins, deputy chairman and general counsel at Fast, added: “The problem with a discussion about numbers is that it ignores the times when you can save an IP-rich business that goes on to flourish and employ very many people.”

What is IP, anyway?

Neville-Rolfe said it is part of her mission to get people interested in the topic and make intellectual property something that everyone understands. One barrier in her way is that, beyond dictionary definitions of IP (see “Jargon buster”, page 13), there is dispute about what it means in practice. Heathcote Hobbins, who posed the question “What is IP?” during the debate, noted: “I was always trained that there were no rights to an idea because that’s what enables competition.” His fellow lawyer Andrew Joint, commercial technology partner at Kemp Little, urged lawmakers not to look at IP purely in a copyright or patent context: “If we become very narrow in how we think about it then it gives people the room to exploit around the edges.”

 Doug Davidson, director of cyber security services for Capgemini, agreed that a company’s intellectual assets were now broader than had once been thought. “What we are seeing now is a mass attempt to extort the process,” Davidson said – “everything from health and safety to business process. It’s not just the idea, it’s not the design or patent – it’s the vast amount of supporting collateral that comes with the idea.”

Meanwhile, Anders Jessen, head of the intellectual property unit in the Directorate General for Trade at the European Commission, observed that distinctions between IP and what he termed “trade secrets” presented a policymaking challenge at the European level. “There are ideas that a business could patent but decides not to, because part of the patent process puts the information [into the public domain].”

The data problem

Perhaps the best way to illustrate the threat to intellectual property, in all its forms, is through example. Catriona Hammer, senior counsel IP at GE Healthcare, told the story of one former employee who downloaded many gigabytes of information on to four hard drives and mailed them to China where he had just accepted a job with a competitor.

“I only give you that as an example,” Hammer said, “because you asked whether this is real. The answer is yes.”

Leakage of valuable information need not be this dramatic. Julian David, chief executive of techUK, the industry association, pointed out that “employees on LinkedIn will describe a lot about themselves but also a lot about their company in so doing. And if you put two and two together you can see, for example, that there are a lot of new people in a particular department.”

Whether malicious or unthinking, loss of IP is a distinct risk. “Any organisation nowadays relies upon data,” said Hammer. “It’s one of the most valuable assets and it’s under threat daily. It’s under threat from the cyber crime hacker. It’s also under threat from employees, sometimes through carelessness and ignorance and sometimes deliberately stealing information.”

Strangling the pirates

If that is the problem, what are the potential solutions? Some prevention strategies are highly specific. For example, the government is talking to search providers including Google and Microsoft and urging them to relegate websites responsible for the illegal distribution of products and services further down the results pages and to push honest sites further up. According to Neville-Rolfe, the search engine auto complete function, which suggests likely search terms, is also prone to send web users to illegal sites. Talks about resolving the issue are ongoing, she said.

Other means of prevention are being pursued by the Police Intellectual Property Crime Unit, a 21-strong team that operates within the City of London Police and that was set up in 2013. Neville-Rolfe said she was pleased with its early successes: “Forty arrests in 12 months, 1.2 million of fakes seized and 3,000 illegal websites disrupted.”

 It is the disruption of websites selling counterfeit goods that is of particular interest to Detective Chief Inspector Daniel Medlycott. “The ability to strangle advertising and payments to the websites is key,” he said. Medlycott’s team created an infringing website list and encouraged leading brands to pull their advertising from those sites. Pipcu wrote to the top 100 brands operating in the UK; though the initial response was “fairly poor”, today the majority comply with the request.

And in a twist, the police themselves began advertising on some of those infringing sites earlier this year. The banner adverts read: “This website has been reported to the police. Please close the browser containing this website.”

Education, education, perception

Medlycott reflected the views of a number of panellists around the table when he observed that parents who would normally understand the moral ANNE KOEFOED boundaries of theft in the physical world were ignoring or failing to appreciate similar boundaries in the digital world. “We still live in a society where the majority of parents will say, ‘That’s theft, that’s wrong, don’t do it.’ With [IP theft] we don’t have the support of the parents,” he said. “We have people downloading music and thinking every musician is as rich as Bono.”

This perception problem was recognised by the European Commission’s Jessen, who said outreach programmes have proved problematic in the past but thought that attitudes may soon alter: “If you are buying a fake Rolex watch on a beach in Thailand you know what you are getting, even if you may have to buy another soon after.

“Now, people involved in these activities are moving into fake pharmaceuticals, health-care products – all sorts of things that we put on our body or in our mouth. And then I think people will start to develop a different perception of what kind of activity we are supporting.”

Medlycott said Pipcu was talking to budding artists and musicians to explain how much damage illegally downloading material could do to their own future career. While he doubted whether these kinds of messages would be incorporated into the National Curriculum, they could at least be integrated into media studies, ICT and music lessons.

Neville-Rolfe said education in schools and beyond was “a job for us all”. Alongside the right legal framework, the legitimate supply of goods and services and good enforcement, education was a key tenet in any strategy to combat IP theft. She pointed to new apprenticeships at GCHQ, a ten-step guide to cyber security aimed at business executives and the introduction of Moocs (massive open online courses) aimed at lawyers and accountants as evidence of the work the government was doing.

Neville-Rolfe said it was important to teach the risks of IP but “also the opportunities of building IP into your balance sheet. If you set up a fashion business, you can become rich if you protect your IP. And it can all be stolen if you don’t.” Kemp Little’s Andrew Joint said those of the Facebook generation inclined to start their own business already understood the value of their creative endeavours. “There are always two things they are interested in when talking to lawyers,” he said. “It’s not data protection obligations or health and safety policies. It’s their share options and how they protect their intellectual property. They realise that’s how they monetise what they produce.”

Good practice, bad practice

If education remains a critical component in tackling cyber crime and IP theft, common sense and good practice are important, too. GE Healthcare’s Hammer urged companies, large and small, “to understand what data you’ve got and categorise it, because you don’t want to treat all data in the same way. You will have some data that is really valuable – that’s your secret sauce – and you want to make sure that that data is guarded, protected and shared appropriately. On the other hand, there is data where its entire value is in sharing it, increasing your reputation and attracting partners.”

 Davidson of Capgemini agreed. “I’m constantly bemused to the extreme why organisations don’t understand their data better – don’t understand it as an asset,” he said. “I routinely come across companies that have no consideration to how they connect to third parties, no consideration to how they connect to different parts of the organisation.”

Davidson also claimed that, with the possible exception of FTSE-100 companies, “cyber security is very rarely, if at all, in the risk registers of most organisations”. This may come as a surprise, especially given pending EU data protection regulations that threaten penalties of up to €100m – or 5 per cent of annual global turnover – for breaches. It might be assumed that such fines would focus minds. Not so, said Davidson, who insisted he could point to a number of firms that say they are compliant when they are not. He added: “The perimeter within organisations has gone. There are only two aspects that allow an enterprise to control its domain. One is identity. Second is the API interface – the types of software and integration that you have around the organisation. The challenge that we have is not the big vendors with their software: it’s rapid application development, it’s people developing outside the organisation and introducing vulnerabilities.”

On a practical level, Hammer noted that GE Healthcare had imposed restrictions on the use of portable media, including USB sticks. “Educating employees about the dangers is a step you can take, such as telling them not to lose sight of their laptop when they are going through airport security. Lots of laptops get stolen at airport security. So make sure you see it when it goes into the machine and make sure you see it when it comes out.” Jessen added: “Businesses say to us that they now institute policies that mean when employees travel to certain parts of the world they can only bring in laptops that don’t have sensitive data on them.”

Fast’s Alex Hilton injected a note of caution, arguing that preventing malicious behaviour was not always possible. “I’ve heard of organisations sticking Super Glue in USB drives [to prevent their use],” he said. “That’s not a solution. You’re never going to be able to ANNE KOEFOED police against individuals who just want to behave in this malicious manner. So for me, it’s about education.” He added that certain technologies were unfairly characterised as a security risk. “Cloud is not a negative, it’s a positive . . . You’ve got better security there than you have in certain small-business scenarios.” Did he include public cloud? “Absolutely,” Hilton said, “because you’ve got levels of security. It’s not just a free-for-all. It’s about policy management and control.”

Let the market decide

This theme was taken up by Davidson. “Business has to be agile,” he said. “Security is not the group that says no. It should be the group that says, ‘OK.’ ” TechUK’s Julian David suggested that industry was more likely to find solutions to security threats than lawmakers. “Letting the market have a big role here is very important because if you don’t do that, you don’t have scope for innovation and you risk fossilising things.”

David pointed to two examples of industry involvement in action. He said his members were in conversation with the European Union about a cloud code of practice, while techUK had recently signed a memorandum of understanding with the US department of homeland security which may lead to UK technology companies creating products designed to protect security.

Joint agreed that industry had an important role to play. “Reliance just on laws isn’t going to work, because laws take too long to get on the statute book, they happen at a slower pace than the technology itself. There has to be a suite of things – there has to be education and pressure of the industry to come up with solutions.” He pointed to the introduction of digital rights management software into DVDs in the mid-2000s in an effort to address piracy. It was a move that was seen as draconian in some quarters. “Yes, it went too far,” Joint said, “but the marketplace reacted to it.”

The view was echoed by Heathcote Hobbins: “The industry, I would suggest, often has the fix because it has to.

This New Statesman round-table debate, in association with the Federation Against Software Theft, took place on 19 November 2014 at Portcullis House, adjoining the Palace of Westminster.