Attorney General Eric Holder, Photo: justice.gov

Just in time for Cyber Monday, as millions of Americans are expected to make holiday purchases with the click of a mouse, Attorney General Eric Holder announced stepped-up efforts to shut down sites selling counterfeit products.

Working with the Justice Department’s criminal division, the Department of Homeland Security and nine U.S. attorneys’ offices around the country, Holder said 82 sites — hawking everything from sports equipment, shoes and handbags, to illegal copies of movies and music – were shut down.

Holder’s announcement, part of efforts known as “In Our Sites II,” came at a news conference in Washington, D.C. He was joined by Director of Immigration and Customs Enforcement John Morton and U.S. Attorney for the District of Columbia Ron Machen.

In his speech, Holder repudiated the idea that intellectual property crimes are essentially victimless.

“For far too long, the theft of innovative ideas or sale of counterfeit, defective and dangerous goods has been perceived as ‘business as usual,’” he said. “Not anymore. IP crimes threaten economic opportunities and financial stability. They destroy jobs. They suppress innovation. And they can jeopardize the health and safety of the men and women we are sworn to protect.”

Holder added that intellectual property law enforcement remains a “top priority” for DOJ.

The latest announcement follows a series of moves by Holder to beef up efforts to combat intellectual property crimes.

During the first part of the “Operation In Our Sites” campaign, which was launched over the summer, Holder said authorities used “seizure warrants” to close down sites offering bootleg copies of movies. And, in February, Holder re-established DOJ’s Intellectual Property Task Force.

The Obama administration has made intellectual property rights “a priority,” reports Main Justice, a news and analysis website covering DOJ. A number of large companies, such as Microsoft and NBC Universal and a bipartisan delegation of lawmakers also support more robust IP enforcement, the site reports.

Noted cyber expert Melissa Hathaway, who led President Barack Obama’s 60-day cybersecurity review in 2009, found that the United States lost an estimated $1 trillion in intellectual property crime in 2008.

Todd Alan Cook was also ordered to pay restitution in the amount of $599,771. He pleaded guilty March 11, 2010, to criminal copyright infringement in the U.S. District Court in Alexandria, Va.

According to court documents, Cook, his father Robert D. Cook and another person ran several websites selling counterfeit software with a combined retail value of nearly $1 million. Cook admitted he and his co-conspirators used these websites to sell downloadable counterfeit software without authorization from the copyright owners.

Robert Cook pleaded guilty March 11, 2010, to one count of conspiracy to commit criminal copyright infringement and will be sentenced Dec. 3, 2010.

Image: Heather Russell

Jordan’s capital of Amman has hosted its first-ever First Regional IPR and Cyber Crime Conference, highlighting the progress of Arab countries in intellectual property rights protection, and exploring recommendations for governments and companies on how reduce software piracy.

Two-thirds of Middle East companies are at risk of using unlicensed or pirated software, 67 percent of businesses lack formal systems for software asset management, and 80 percent fail to identify the operational and viral threats to businesses using pirated software, according to Abdallah Saqqa, general manager, Middle East & North Africa, Adobe Systems, one of the organizers of the conference.

The event brought to light a host of issues industry the public and private sector face as a result of software piracy and breaching of intellectual property rights, including violation of user privacy, cyber crime, and the effect of intellectual property rights infringement on the business environment.

Conference participants came up with action recommendations for government and industry, which included promoting R&D focused on cyber crime, and establishing specialized cyber-crime courts and passing new laws that help protect user and company rights

In most Middle Eastern nations, software piracy over the last few years has only varied by around 2-3  percent, however, the financial losses this represents can exceed more than $100 million in some countries.

Scott Borg, president and CEO, US-CCU

The threats emanating from cyberspace are becoming consistent features in the news. Earlier this year, Google revealed it and dozens of other companies had come under cyber attack. Cyber criminals have stolen millions of dollars and the intellectual property of America’s leading corporations are at risk. Scott Borg, director and CEO of the nonprofit U.S. Cyber Consequences Unit, is a leading expert on the economic impact of cyber attacks. The New New Internet recently had the opportunity to ask Borg about the economic impact of cyber attacks, increasing cooperation and his advice for IT professionals.

TNNI: Tell us a bit about your background.

Borg: Security was not something with which I was intending to get involved. I was doing work as a business consultant on how much value could be created using information systems. Shortly after the 9/11 attacks, someone asked me how much value could be destroyed using information systems. When I started looking at the problem, I got results that were very frightening. They were frightening for two reasons. One reason was that, according to my calculations, information systems could be used to destroy enormous amounts of value. The other reason was that the way this could be done wasn’t what people at that time were worried about. People at that time were focused almost exclusively on cyber attacks that would shut down information systems. I said that really serious cyber attacks would hijack information systems to do much worse damage.  When I tried to warn people in the government about this and provided a detailed economic analysis to back up my claims, I found myself suddenly being regarded as a cybersecurity expert. I decided then that I had better actually become a cybersecurity expert, so that people wouldn’t be disappointed.

TNNI: You serve as the director and CEO of the US Cyber Consequences Unit.  What is the goal of the US-CCU and what do your duties entail?

Borg: Our job at the US-CCU is essentially to figure out how to destroy America and its allies using computers and then to figure out what’s the cheapest thing we could do to make it harder.  To do this well, we need to investigate what kinds of cyber attacks are possible, what their economic and strategic consequences would be, what knock-on effects could be expected, how likely the attacks would be to succeed, what counter-measures are available, what policies and market conditions might promote those counter-measures, and what the costs and benefits would be at every level.  Investigating these things conscientiously requires an enormous amount of interdisciplinary research and lots of on-site visits to critical infrastructure facilities.  Fortunately, I have the help of brilliant, nationally known experts, such as John Bumgarner, Warren Axelrod, Joel Gordes, and several others who are similarly talented.  They do their own investigations and are passionate about getting to the bottom of things.  I have already done most of the relevant theoretical work and developed the necessary analytic models.  So when we are adequately funded (which is not always the case!), the main things I need to do are to arrange periodic brain-storming sessions, to turn our associates loose for a while, and then to help synthesize their results.  The US-CCU team are extraordinarily creative and a joy to work with.  It would be hard to stop them from doing innovative and insightful work!

TNNI: One of the purposes of the US-CCU is to examine the economic consequences of a cyber attack.  What are some of the more damaging attacks in terms of their economic impact?

Borg: The worst cyber attacks would be ones that would physically destroy critical infrastructures: wrecking large numbers of big electric generators, blowing up oil refineries and pipelines, crashing trains in tunnels and on bridges, causing leakages of toxic substances from chemical plants, and so on.  In addition to killing some people immediately, these sorts of attacks could deprive large populations of essential goods and services for extended periods of time.  Some of them would cause most of the economic activity in the affected region to shut down.  The total economic destruction caused by an intense campaign of such attacks could be greater than the damage done to Germany and Japan by strategic bombing during World War II.  Fortunately, these kinds of attacks are very difficult to carry out and are currently only within the capabilities of high-tech nation states.  These nation states have no desire to do such things.  My biggest worry is that less responsible groups will acquire such capabilities in the future.

TNNI: There have been a number of recent media reports about the attacks on Google and the oil industry.  How prevalent is the threat to private industry and what are the economic consequences for industry and the U.S. economy?

Borg: The biggest cyber crime being carried out today is the theft of business information.  The total losses from this activity are much greater than the total amounts being stolen by false credit card charges, even though that amount is itself huge.  People often say that we operate in an information economy.  Actually, it would be more accurate to say we operate in an information differential economy.  The amount of value a business can create is often proportionate to the amount of information that it can put into play that its competitors can’t.  The theft of business information can eliminate most of this information differential.  This means that information thefts could cause entire businesses and even entire national industries to lose the ability to survive in the global economy.

TNNI: In your experience, how cognizant are corporate leaders of the impact appropriating intellectual property has on their organization, particularly when the data isn’t actually disappearing?

Borg: This is still a new issue for most executives, and they are only now beginning to appreciate its importance.  Addressing the issue, however, is complicated.  If the specifics of the massive thefts of business information were to become publicly known, the executives who let it happen could be sued by their shareholders.  What’s more, the companies who were victimized would need to sue the companies who benefited, and those companies would countersue, claiming libel, and anyone else who got involved would probably be sued as well.  It’s such a nightmare scenario from a legal standpoint that some executives would prefer not to know.  They cross their fingers and hope that warnings like this one in this interview are exaggerated—or, if not exaggerated, that the full effects won’t be felt until after they’ve retired.  Many other executives who are more courageous and conscientious are tackling the problem right now.  But it will take them a while to get a handle on it.

TNNI: Cybersecurity professionals are often forced, like most managers, to justify their budgets to keep them from being trimmed, yet cybersecurity is proven by what does not happen as opposed to more positive based indicators.  What advice would you give to cybersecurity managers when seeking to justify or increase their budgets?

Borg: The most important thing a security professional can do is learn how their company creates value.  This especially means understanding how any given information system contributes to the company’s bottom line.  It means knowing what will substitute if that information system can’t function properly.  It means knowing roughly how much value is created by the things the information system supports, such as customer relationships.  It means knowing how much value would be lost by damage to these systems.  These are things a cyber security actually needs to know, because they are necessary for determining the priorities and strategies for responding to cyber attacks.  But few cyber security professionals have sufficient knowledge of these matters.  Without making a greater effort to understand these things, security professionals won’t know what value their own efforts are contributing.

TNNI: How should the U.S. look to increase cooperation between the private and public sectors, and what should that cooperation look like?

Borg: It’s all about costs and benefits.  The key to fostering public-private cooperation is to look at the costs and benefits to each participant that result from participating in a given cooperative activity.  Cooperative efforts fostered by the government generally founder, because no one in the government has thought through the opportunity costs properly.  If the government wants an executive with any power to show up for a meeting, then the government officials need to think about what other management activity that executive will need to skip in order to be there.  If the government wants information from a corporation, then the government officials need to think about the costs and liabilities a company incurs in supplying that information.  If there are adequate benefits to private sector corporations—even indirect benefits—they will usually cooperate;  if there aren’t, they won’t.  I am very optimistic about the prospect for future public-private cooperation, but it needs to be thought through better.

By the way, I will have a long-promised book coming out soon that will address all of the issues raised in your questions.  It’s called Cyber Attacks: A Handbook for Understanding the Economic and Strategic Risks.