A Dual Approach to Tackling IP Theft and IP Loss

Recent months have seen fresh allegations of intellectual property (IP) theft reported against Chinese technology companies. ASML Holding NV, a Dutch computer chip manufacturer, has reiterated its accusations of IP theft against China-based Dongfang Jingyuan Electron Ltd, created by an ex-ASML employee, Zongchang Yu. Another of Yu’s companies, based in the US, was successfully sued by ASML in 2018. Dongfang, however, enjoys protection from China’s government, and Yu is lauded as a ‘flagbearer’. With China aiming to end its reliance on imported advanced technologies, the geopolitical struggle for IP is all-important.

Prioritising efforts to tackle IP loss, the UK government has restricted academic partnerships and attempted to reduce foreign acquisitions. A comprehensive approach to protecting IP, however, also requires a focus on IP theft. Recognising these dual concerns, the UK needs a more strategic approach to protecting IP.

IP relates to material that is copyrighted, patented or trademarked, or that can be considered a trade secret. The amount of IP material has risen significantly over recent years, with registered patents for digital technologies increasing by 172% from 2016 to 2020, according to the World Intellectual Property Organization. Crucially, Chinese companies have constituted the lion’s share of these, holding 3.6 million registered patents at the end of 2021.

China has leveraged IP theft and loss to become a science and technology power. Shanghai, Beijing and Shenzen rival Silicon Valley, and Huawei, Alibaba and Tencent nip at the heels of the US tech giants. The strategic challenge posed by China has evolved into superior Chinese capabilities in tech, innovating independently of other competitive markets and dominating technology supply globally. Fair competition in tech innovation is vital for national security as it ensures diversity of supply.

IP theft undermines the UK’s competitive advantage and potential for innovation, damages reputations, and increases security exposure. While it is hard to measure its total cost, in 2018 McAfee estimated that of the $600 billion annual cost of cybercrime, IP theft represented at least a quarter. It has only grown since.

In an analog world, IP theft relied on surreptitiously smuggled manila folders hastily swapped for cash-stuffed briefcases, but now cyber breaches are to blame. In 2020, 82% of IP theft incidents included cyber means as either the primary or partial factor in breaches. Methods of network intrusion include malware and phishing campaigns (socially engineered messages prompting individuals to input login information or incidentally download malware).

Chinese IP theft came under the spotlight in the 1990s with revelations that Beijing stole nuclear secrets from the US. Since then, China has rapidly expanded its capabilities by establishing and supporting multiple units specialised in malicious cyber activities for financial, espionage and destabilising purposes. These units, known as Advanced Persistent Threat (APT) actors, are not exclusive to China, with Russia, North Korea and Iran also operating as or with APTs.

In 2007, Lockheed Martin found Chinese hackers had stolen technical documents about the F-35 aircraft. An Australian sub-contractor of Lockheed working on the F-35 was also hacked that year. These breaches, the US Department of Defense argues, explain suspiciously coincidental similarities between China’s J-31 and the F-35. The theft of highly sensitive military technology represents a clear threat to national security and the integrity of private defence manufacturers, many of which are UK based.

Chinese APTs do not solely focus on national security-related technologies. In contrast to liberal democracies, where a separation exists between state intelligence agencies and private companies, in China state espionage often provides foreign corporate secrets to Chinese businesses. The Minneapolis Federal Reserve Bank in 2015 concluded that half of all technology owned by Chinese firms was obtained from foreign companies.

The 2021 Microsoft Exchange breach, linked to APT31 and APT40, compromised 300,000 organisations globally and was attributed by Microsoft, the UK government and other allies to China. The objective, according to the National Cyber Security Centre, was ‘the acquisition of personal data and intellectual property’. As one of the largest cyber incidents in recent years, it is clear evidence that Beijing still sees major monetary and commercial value in IP theft.

Tackling IP Loss

To address IP loss, the UK government has clamped down on malign international research collaboration by establishing an advice team for universities, and has sought to tackle foreign direct investment in critical sectors and assets by passing the National Security and Investment Act. The Research Collaboration Advice Team launched in October 2021 seeks to directly address ‘hostile actors’ such as China. New legislation follows Pillar 3 of the National Cyber Strategy 2022 in looking to sustain UK technological advantage by protecting innovative start-ups from foreign acquisition. This is part of the UK’s ambition to be a ‘science and tech superpower’, for which IP development and retention is essential.

The effectiveness of government efforts to prevent IP loss has been underwhelming. Despite new powers to probe and even prevent foreign investments in critical technologies, Newport Wafer Fab – a Cardiff-based semiconductor plant – may be bought by Nexperia, a Chinese firm. The Foreign Affairs Committee raised concerns that the UK government lacked appetite to prevent the sale, something which the business secretary has now decided to investigate. While not an immediate loss of IP, its sale could have a long-term effect in compromising future unrealised potential from the UK chip industry. The UK must take advantage of legislative powers to protect critical tech industries.

China has decried these initiatives as examples of its unfair victimisation by Western governments, with Chinese commentators arguing that engagements in foreign academia and participation in the UK economy are perfectly legitimate. In this argument, China has a point. Persecution of Chinese academics or business leaders, purely based on their background, is wrong. Western economies and universities have grown through welcoming and fostering diverse competition, not through exclusion. Hostile measures risk dissuading world-leading scientists, promising students and innovative companies from engaging with Western institutions.

Tackling IP Theft

To counter IP theft, the UK government must engage internationally to strengthen deterrence against governments supporting IP theft, while continuing to increase the cyber resilience of the UK ecosystem. Although assurances regarding IP theft have been made by Xi Jinping in both 2015 and 2018, there has been little change in the number of incidents. Targeted sanctions and name-and-shame policies have failed to disincentivise APT activity. To redress this, the UK could develop a mechanism to indict specific cybercriminals, as the US has done, increasing the individual consequences for participation in state-sponsored cybercrime.

Pillar 2 of the UK’s National Cyber Strategy concerns Cyber Resilience, outlining improvements across risk mitigation, attack prevention, and comprehensive preparation, response and recovery. Progress in these areas is welcome; as the UK becomes a harder target, it is less likely that IP theft operations will succeed. To help narrow down how to operationalise Pillar 2, the UK government should consider the following:

• Firstly, critical research and development in the private sector and academia needs iron-clad protection. Government should lean in to assist critical sectors, identifying companies and research programmes at high risk of IP theft and supporting them with guidance and a forum to implement best practice in day-to-day operations.
• Secondly, individuals cannot rely on cyber awareness alone to protect them. Businesses that provide online software should impose strong authentication and privacy controls for users by default, ensuring that identity access management is not burdensome for the user. Government regulation would help to speed up adoption of strong authentication across all digital services.
• Lastly, the UK government should conduct large-scale take-down operations of online caches of passwords and personally identifiable information. These repositories empower APTs, allowing easier access to accounts. Account exposures and IP theft will continue unless governments clean up the dirty data trade.

The UK government needs a dual approach to IP theft and IP loss, recognising that while the tactics differ, they ultimately lead to the same goal: an attrition of IP. Nurturing and maintaining UK companies for the benefits of short- and long-term innovation is a key step in reducing IP loss. On IP theft, strengthening naming and shaming powers while making the UK a harder target would help in deterrence.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.