Tom Lyons, a founder of the 2430 group and a former CIA Directorate of Operations officer, breaks down how China’s intellectual property theft operates and what practical steps can disrupt those networks.
Tom Lyons brings field experience and an operator’s view to the table, so the description of how intellectual property moves from labs and factories to foreign state interests is concrete and tactical. He frames theft not as isolated hacks but as a system that mixes legal deals, covert recruitment, and cyber operations. That system targets universities, corporate R&D, and supply chains where value concentrates.
At its core, the strategy blends three tracks: technical intrusion, human compromise, and legal exploitation of openness. Cyber intrusions get blueprints and prototypes, human compromise harvests know-how, and legal pathways like joint ventures or research collaborations provide cover for technology transfer. Each track reinforces the others, creating redundancy that makes disruption difficult.
Lyons explains how recruitment is central to the human track: researchers, engineers, and technicians are often targeted through grants, consulting offers, or academic ties. These approaches look legitimate on paper, so organizations can lose sensitive information without obvious malfeasance. Employee vetting and awareness become critical because the threat is social as much as it is technical.
On the cyber side, attackers go beyond mass phishing and deploy persistent, tailored intrusions that aim for data exfiltration rather than immediate disruption. They embed tools, create covert channels, and wait for the right file versions or trade secrets to emerge. A one-time breach rarely delivers maximum value; sustained access does.
Legal and commercial instruments provide the third vector: shell companies, talent programs, and forced joint ventures serve as legit-looking highways for technology. Through these mechanisms, intellectual property is often transferred under contractual pretenses that complicate later recovery. Organizations can be blindsided by contracts or investment deals that include transfer clauses used for extraction.
Lyons stresses that attribution matters because it changes the response calculus; state-directed campaigns require different solutions than criminal-for-profit theft. Pinpointing who benefits and how the stolen IP is used allows defenders to prioritize protections and pursue legal or diplomatic remedies. Clarity on intent also helps companies justify defensive steps to partners and customers.
Mitigation starts with mapping what matters: identify crown-jewel IP, where it resides, and who has access. That mapping enables focused controls instead of broad, expensive lockdowns that slow innovation. It also helps prioritize monitoring so defenders can notice early signs of coordinated extraction rather than treating incidents as one-offs.
Operationally, Lyons recommends blending counterintelligence measures into normal enterprise processes—tighten contractual language, limit broad data sharing, and enforce strict segmentation between research groups. Pair those measures with robust network detection tuned to long-term, low-noise exfiltration patterns. People and tech have to work together; neither alone stops a sophisticated campaign.
Public-private coordination is a recurring theme because many targets are civilian institutions that lack national-level intelligence resources. Sharing indicators, threat behavior, and legal approaches allows firms to see patterns faster and avoid repeating mistakes. Lyons notes that timely information flow changes the defender’s window of advantage.
Finally, resilience matters: slow down the pathways of theft by adding friction where possible and make stolen data less useful through encryption and compartmentalization. When combined with smarter hiring practices and contract scrutiny, these steps make extraction costlier and less reliable. Increasing the cost and risk of theft is the most practical way to reduce successful intellectual property losses.
