Recent press coverage of cyber intrusions is now giving the vulnerability of our business community’s rich lodes of intellectual property the attention it deserves. U.S. economic prosperity and world-market leadership will depend on its intellectual property well into the future. We need solutions to the problem of cyber theft of intellectual property, and we need them now.
McAfee, the Intel-owned security technology company, has written two revealing reports on cyber espionage. "Night Dragon" exposed Chinese penetration of the architecture of U.S. oil companies against whom Chinese firms were competing for oil leases in West Africa. U.S. bidders lost to Chinese teams who knew the bidding strategies of their competition. "Shady Rat" detailed attacks—ostensibly Chinese—that occurred over a five-year period on American and other companies and government agencies, including the International Olympic Committee and its U.S. affiliate. Some companies still haven’t discovered who hacked them.
Another information-security company, Mandiant, issued a more damning report tracing elements of code from hacks on U.S. companies to a Unit 61398 of the People's Liberation Army (PLA), which works directly for China's "General Staff Department," the equivalent of our Joint Chiefs of Staff. Unit 61398 has "stolen hundreds of terabytes of data from at least 141 organizations," Mandiant declared. No doubt this single unit represents the tip of a large iceberg. Not only do the Chinese steal data. They also cover their tracks very effectively. It took months for Dell Secureworks to isolate the methods and tradecraft used by the Chinese Comment Crew over three years to attack an eight-person, family-owned software company, Solid Oak Software.
Unit 61398's actions should not be surprising. When visiting China's equivalent of the RAND Corporation in 2011, a delegation from Business Executives for National Security (BENS) heard a young staffer, fluent in English and sporting a Ph.D. in computer science from MIT, declare that China had reached its strategic moment. Quoting from an official paper, he said China had the right to take U.S. technology that China needed.
The same attitude is seen among some Russians. The head of the Russian Foreign Intelligence Service, the SVR, has said, "Intelligence…aims at supporting the process of modernization of our country and creating the optimal conditions for the development of its science and technology." This Hobbesian environment affects firms ranging from financial institutions to Tier 1 defense companies to mom-and-pop outfits like Solid Oak. To thwart detection, states are now using criminal organizations to steal intellectual property. And while they are no less active than their Chinese counterparts, Eastern European hackers generally seek to steal money from financial institutions as well as intelligence.
U.S. businesses and government agencies are hemorrhaging intellectual property, which in Chinese and other hands will surely be used against the United States, both economically and militarily. To counter this historically unprecedented transfer of intellectual capital, we must act quickly.
The president's recent executive order calling for a framework to reduce cyber risks to critical infrastructure and seeking greater government-business information sharing on cyber threats is an important first step. But the timelines for implementation are long, and the scope is restricted to what the federal government can do without legislation. For example, two-way information sharing will be hampered until legislation can be passed to provide liability protection for companies sharing cyber-threat information with the government. The executive order must be the essential "down payment" for legislation and governmental partnership with the private sector, which owns and operates more than 90 percent of the Internet.
The administration's newly released “Strategy on Mitigating the Theft of U.S. Trade Secrets” helpfully presents principles and a good deal of information about cyber theft and governmental responses. But it gives no timelines, funding parameters, objectives or other specifics of execution. Nor does it establish any clear lines of responsibility and specific authority for addressing the problem.
Business plays an equivocal role in the effort to counter cyber theft. Business leaders are wary of government regulation and check-the-box reporting requirements that result in what they see as no security gains. Business leaders and trade organizations representing business interests also remain wary of legislation or executive mandates that require disclosure of cyber compromise, which poses a threat to brand value and profit. Effective public-private partnerships with proper liability and anonymity protection could spur more enthusiastic cooperation.
As a first step, the country must develop mechanisms for sharing information on the changing methods and tradecraft of cyberattacks. Fortunately, a successful example of this kind of organization exists in the Advanced Cyber Security Center (ACSC) of Massachusetts Insight, a nonprofit corporation. ACSC combines the efforts of industry, academic institutions and state government to create a collaborative environment in which signatures of hacks and other information critical to defense of intellectual property can be shared without attribution. If legislation is passed to provide liability protection for private-sector information sharing, Department of Homeland Security “fusion centers” can become important venues for information sharing on cyber issues. Such collaborative relationships could make responses from public-private partnerships more agile and effective.
Second, business must lead in the area of standards by fostering and spreading a consensus on best practices. Some questions that hang over this effort are: What should be the minimum levels of certification and protection for IT architecture? What kinds of forensic tools are needed for assessing attacks, locating backdoors and other implanted malware? Given that smaller firms hold much of the technological creativity in our economy, how can we frame standards of business practice that can be implemented by small and large corporations alike?
Business should engage with government in developing the cybersecurity framework mandated in the president's executive order. Firms such as McAfee, Dell Secureworks, Mandiant and others, working with professional organizations such as the Chamber of Commerce and the Business Roundtable, can do much of the development, updating and promulgating of practical procedures before handing off to government. To preempt attacks, shouldn’t we shield Internet carriers from lawsuit if they report malware moving through their networks? To reduce the amount of illicit traffic and make the malware challenge less overpowering to corporate security officers, we could create a virtual boundary that prevents traffic from known malevolent domain names and identities from entering U.S. networks.
Third, we do not have a doctrine for dealing with cyberattack. Does theft of intellectual property at some point breach a threshold that calls for an aggressive U.S. response, or do we rely solely on defensive actions? Is it possible to deter attacks on infrastructure, rather than waiting for the damage to become manifest? And, if there are unacceptable levels of loss from theft of intellectual property or destruction of infrastructure, should we not announce our redlines to the foreign capitals now involved in stealing commercial secrets and reconnoitering our infrastructure?
Finally, how do we ensure that companies report losses of intellectual property as part of their duty to shareholders? Surely the threats from the Internet pose a bottom-line risk to the ability of companies to compete in the world markets over the long haul. Couldn’t the loss of intellectual property be dealt with in a manner similar to U.S. Customs’ practice of mitigation, where those who have contraband on their ships aren't punished if they adhered to mandated best practices?
Gaining consensus and implementing the policies and practices noted above will not be easy. But a collaborative approach to protecting the U.S. economy and its role in the international marketplace could remove much of the institutional reluctance of business to accept new standards. Allowing the users and providers of the Internet the primary voice in framing best practice and working to protect our IT infrastructure, in partnership with government, offers the only quick way to solutions that can work.
General Montgomery C. Meigs, USA (Ret.) is president and CEO of Business Executives for National Security, a nonpartisan organization based in Washington. This is a personal comment.