How to Cooperate against Cyber Threats
Recent press coverage of cyber intrusions is now giving the vulnerability of our business community’s rich lodes of intellectual property the attention it deserves. U.S. economic prosperity and world-market leadership will depend on its intellectual property well into the future. We need solutions to the problem of cyber theft of intellectual property, and we need them now.
McAfee, the Intel-owned security technology company, has written two revealing reports on cyber espionage. "Night Dragon" exposed Chinese penetration of the architecture of U.S. oil companies against whom Chinese firms were competing for oil leases in West Africa. U.S. bidders lost to Chinese teams who knew the bidding strategies of their competition. "Shady Rat" detailed attacks—ostensibly Chinese—that occurred over a five-year period on American and other companies and government agencies, including the International Olympic Committee and its U.S. affiliate. Some companies still haven’t discovered who hacked them.
Another information-security company, Mandiant, issued a more damning report tracing elements of code from hacks on U.S. companies to a Unit 61398 of the People's Liberation Army (PLA), which works directly for China's "General Staff Department," the equivalent of our Joint Chiefs of Staff. Unit 61398 has "stolen hundreds of terabytes of data from at least 141 organizations," Mandiant declared. No doubt this single unit represents the tip of a large iceberg. Not only do the Chinese steal data. They also cover their tracks very effectively. It took months for Dell Secureworks to isolate the methods and tradecraft used by the Chinese Comment Crew over three years to attack an eight-person, family-owned software company, Solid Oak Software.
Unit 61398's actions should not be surprising. When visiting China's equivalent of the RAND Corporation in 2011, a delegation from Business Executives for National Security (BENS) heard a young staffer, fluent in English and sporting a Ph.D. in computer science from MIT, declare that China had reached its strategic moment. Quoting from an official paper, he said China had the right to take U.S. technology that China needed.
The same attitude is seen among some Russians. The head of the Russian Foreign Intelligence Service, the SVR, has said, "Intelligence…aims at supporting the process of modernization of our country and creating the optimal conditions for the development of its science and technology." This Hobbesian environment affects firms ranging from financial institutions to Tier 1 defense companies to mom-and-pop outfits like Solid Oak. To thwart detection, states are now using criminal organizations to steal intellectual property. And while they are no less active than their Chinese counterparts, Eastern European hackers generally seek to steal money from financial institutions as well as intelligence.
U.S. businesses and government agencies are hemorrhaging intellectual property, which in Chinese and other hands will surely be used against the United States, both economically and militarily. To counter this historically unprecedented transfer of intellectual capital, we must act quickly.
The president's recent executive order calling for a framework to reduce cyber risks to critical infrastructure and seeking greater government-business information sharing on cyber threats is an important first step. But the timelines for implementation are long, and the scope is restricted to what the federal government can do without legislation. For example, two-way information sharing will be hampered until legislation can be passed to provide liability protection for companies sharing cyber-threat information with the government. The executive order must be the essential "down payment" for legislation and governmental partnership with the private sector, which owns and operates more than 90 percent of the Internet.
The administration's newly released “Strategy on Mitigating the Theft of U.S. Trade Secrets” helpfully presents principles and a good deal of information about cyber theft and governmental responses. But it gives no timelines, funding parameters, objectives or other specifics of execution. Nor does it establish any clear lines of responsibility and specific authority for addressing the problem.
Business plays an equivocal role in the effort to counter cyber theft. Business leaders are wary of government regulation and check-the-box reporting requirements that result in what they see as no security gains. Business leaders and trade organizations representing business interests also remain wary of legislation or executive mandates that require disclosure of cyber compromise, which poses a threat to brand value and profit. Effective public-private partnerships with proper liability and anonymity protection could spur more enthusiastic cooperation.