The Five Eyes security alliance, made up of intelligence agencies from Australia, Canada, New Zealand, the U.K. and the U.S., released on October 17, the Five Principles of Secure Innovation. These principles provide startup founders and other business leaders with guidelines for keeping intellectual property safe from cyberwarfare actors, particularly state-sponsored actors.
What are the Five Principles of Secure Innovation?
The Five Principles of Secure Innovation are:
- Know the threats.
- Secure your environment.
- Secure your products.
- Secure your partnerships.
- Secure your growth.
What can businesses do to protect IP using the Five Principles?
The Five Principles are focused on protecting IP. For example, under the header of “Know the threats,” National Protective Security Authority specifies “Understand the way state-backed and hostile actors could try and get hold of your technology.”
Investors, suppliers and collaborators can all introduce risk, NPSA and the Five Eyes alliance cautioned.
Other recommendations from Five Eyes about how businesses can protect IP include:
- Create an effective system for security risk management, incorporating risk ownership, identification, assessment and mitigation.
- Build security into your products from the start and actively protect and manage your intellectual assets.
- As your company grows, manage the security risks from entering new markets and expanding your workforce.
- Appoint a board-level security lead.
- Protect assets with digital and physical barriers.
- Perform background checks to be sure you know exactly who your business is working with.
- Include protections around data within contracts.
- As your company grows enough to consider international markets, consider export controls, jurisdiction risk and travel security.
Why were the Five Principles created?
The Five Principles were created as part of Secure Innovation, a joint project between the U.K.’s National Protective Security Authority and the National Cyber Security Centre. The purpose of Secure Innovation is to encourage founders of tech startups and spinoffs to implement security measures as early as possible in the process of creating their new businesses.
SEE: Threat actors increasingly turn to cloud storage apps to spread malware, according to a new Netskope report. (TechRepublic)
“Across all five of our countries we are seeing a sharp rise in aggressive attempts by other states to steal competitive advantage,” wrote NPSA Director General Ken McCallum in a blog post. “This contest is particularly acute on emerging technologies; states which lead the way in areas like artificial intelligence, quantum computing and synthetic biology will have the power to shape all our futures.”
“By understanding the threats to our IP, our CISOs can develop detailed strategies to thwart advisories and dive deeper into the minds of the hackers to prevent targeted IP cyber attacks before they happen,” said Sanjay Poonen, president and chief executive officer of IT company Cohesity, in an email to TechRepublic.
The agencies that make up the Five Eyes are:
- The Office of the Inspector-General of Intelligence and Security of Australia
- The National Security and Intelligence Review Agency of Canada
- The Office of the Intelligence Commissioner of Canada
- The Commissioner of Intelligence Warrants and the Office of the Inspector-General of Intelligence and Security of New Zealand
- The Investigatory Powers Commissioner’s Office of the United Kingdom
- The Office of the Inspector General of the Intelligence Community of the United States
Five Eyes officials express concerns about China-sponsored IP theft
According to Tech Monitor, Five Eyes leaders speaking at a joint event in San Francisco on October 17, specifically pointed out possible risks to IP from threat actors operating out of China.
Chinese government spokesman Liu Pengyu told Reuters the accusations were “groundless.”
“Statements from the intelligence communities at the Five Eyes countries are a positive recognition of the persistent threat of Chinese espionage,” said Ted Miracco, chief executive officer of app protection company Approov Mobile Security, in an email statement to TechRepublic.
“The sheer number of motivated (Chinese) hacking teams, the scale of the toolsets and the coordination are unlike anything we’ve ever seen — and add AI to the equation and we have a serious problem,” said David Mitchell, chief technology officer of security solutions company HYAS, in an email to TechRepublic.
“By understanding the threats to our IP, our CISOs can develop detailed strategies to thwart advisories and dive deeper into the minds of the hackers to prevent targeted IP cyber attacks before they happen,” said Poonen.
In May 2023, Microsoft released a warning about Volt Typhoon, a China-sponsored threat actor. Volt Typhoon used “living off the land” data extraction and cyber espionage techniques and targeted critical infrastructure, Microsoft said. Another China-aligned threat actor, Storm-0558, targeted U.S. senior officials in September 2023 using credentials taken from a Microsoft engineer’s corporate account.