If actions – or in this case inaction – speak louder than words, the message from the U.S. government to the private sector regarding defense against cyber economic espionage by China is clear: “You’re on your own.”
That remains true, in the view of multiple experts, even after Chinese President Xi Jinping and U.S. President Barack Obama announced an agreement last week that, according to a White House press secretary Fact Sheet, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
First, the agreement refers only to the governments of both countries – not their private sectors.
Harvard Law professor Jack Goldsmith noted in a post on the Lawfare blog, “this statement leaves untouched cybertheft of IP (intellectual property) by non-governmental entities in China, including NGO cybertheft activity of which China’s government is aware (as opposed to that which it supports).”
Second, Xi has consistently denied that China engages in economic espionage to benefit its private-sector corporations. So, in essence, he is agreeing not to do something he says his nation doesn’t do anyway.
That in spite of overwhelming evidence – at least in the view of U.S. experts – that while many countries engage in economic espionage, the overwhelming majority of it against the U.S. is done by China.
[ ALSO ON CSO: Video: China makes hackers an offer they can’t refuse ]
The list of breaches is long and varied – U.S. airlines, universities, healthcare organizations, news organizations (including Forbes and The New York Times), IT giants including Google, and critical infrastructure. That doesn’t count the catastrophic hack of the federal Office of Personnel Management (OPM) that compromised the personal information of about 21 million current and former government employees, since that was presumably not aimed at stealing IP or trade secrets. And those are just a few of the publicly reported ones.
Security firm Mandiant, now a part of FireEye, reported in February 2013 on efforts by a Chinese military unit that hacked into 141 businesses, most of them in the U.S.
As Justin Harvey, CSO at Fidelis Cybersecurity, put it, “How can you deal with an adversary that categorically denies its involvement, yet continues to pilfer IP right under our noses?”
Third, the U.S. response over the past six years from top officials including President Obama has been to make numerous threats of economic sanctions, but none of those threats has ever been carried out.
Indeed, just about a month ago there were yet more threats. The Washington Post reported that, “the Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cyber theft of valuable U.S. trade secrets.”
But, with the approach of Xi’s visit, those reports faded. There was still some strong rhetoric. U.S. National Security Adviser Susan Rice, in remarks at George Washington University, said Chinese economic cyber espionage, “undermines our long-term economic cooperation and it needs to stop.”
In a speech to the Business Roundtable before Xi’s visit, Obama again threatened sanctions.
“Industrial espionage and stealing trade secrets, stealing proprietary information from companies [is] an act of aggression that has to stop,” he said. “And we are preparing a number of measures that will indicate to the Chinese that this is not just a matter of us being mildly upset, but is something that will put significant strains on the bilateral relationship if not resolved.”
But, as the Wall Street Journal somewhat sardonically noted in a story just before Xi’s visit, the only “decisive action” the U.S. has taken in response to Chinese economic espionage on American companies has been to, “announce (that) President Obama will no longer stay at New York’s Waldorf Astoria. The hotel was bought by a Chinese insurance company with close ties to Communist Party bosses, making the risk of surveillance too great.”
Even Director of National Intelligence James Clapper has said U.S. policy on economic cyber espionage lacks, “both the substance and the psychology of deterrence.”
All this, multiple experts say, is in large measure because both nations’ economies are so heavily dependent on one another. If the U.S. imposes crippling sanctions on China, that would affect China’s economy, which would in turn depress the U.S. economy. American purchases from China have reportedly surpassed $460 billion.
Harvey noted that most of the options available to the U.S., “involve possibly hurting our trade with them.” Meanwhile, “China is addicted to our intellectual property and cannot afford to stop, especially with the volatility in their economy,” he said.
Kevin Murray, director at Murray Associates, said the reality is that, “both leaders know economics comes first.
“Waving an ‘agreement’ in the air may mollify some of their constituents,” he said, but the subtext of promising that “governments” won’t do it acknowledges the reality that they, “can't control all the rogue hackers out there. All they can say is that their governments are not behind it, and they don't condone it."
[ ALSO ON CSO: NSA chief warns cyberthreats persist despite China accord ]
William Munroe, vice president of marketing at Interset, said a relatively vague agreement is not going to overturn centuries of Chinese culture. “Stealing ideas and IP has been a part of Chinese culture for centuries, so any sanctions will likely have little to no effect, while creating economic risk,” he said.
And Brian Lozada, director of information security at Abacus Group, said given the mutual economic dependence of the two countries on one another, “regardless of whether sanctions were implemented or not, I do not believe it would deter or even slow down ongoing cyber-espionage activity.”
Hence, those experts agree that if private organizations want to protect their trade secrets and intellectual property, they are going to have to do it themselves.
And this is not an impossible task, they say. While there is no such thing as 100 percent security, they can get a lot closer simply by doing the basics.
Robyn Greene, policy counsel of the New America Foundation’s Open Technology Institute, said at a recent conference on the sharing of cyber threat information that, “90 percent (of attacks) are defensible with solutions that are already out there.”
She and other experts call it “security hygiene,” which includes hardened perimeters, strong encryption and authentication and training both technical and non-technical employees in basics like rigorous passwords, and how to spot phishing attacks.
“It shouldn't just be hard for malicious actors to break in, it should be impossible for them to understand what's there if and when they get through the door,” she said.
Harvey said he thinks too many companies are, “hiring people to support tools, instead of hiring people to use the tools. Incident response doesn't have to be the black art as it has been historically,” he said.
That, he added, would help decrease “dwell time” – the time from an attack to when an organization detects and responds to it. “The average dwell time in 2014 was an abysmal 205 days,” he said. “That means attackers had access to those companies' networks for more than six months.”
According to Murray, government should create what he called a “National Interest Assets (NIA) law.” That, he said, would:
- Protect the IP timeline, from brainstorming and initial discussions to the final product or business strategy.
- Impose due care responsibility on the creators and holders of competitive advantage information.
- Specify compliance requirements aimed at countering traditional business espionage practices. Those include Technical Surveillance Countermeasures Inspections (TSCM / bug sweeps), information-security audits and information-security compliance procedures.
“The cost of keeping NIA safe is infinitesimal compared to current losses, not to mention the long-term effects,” he said. “Just ask the Chinese.”
Finally, Munroe said it is important to remember that malicious insiders can do as much damage as Chinese hackers, and that the systems to protect IP are not as expensive and complex as they were.
“More affordable, off-the-shelf technologies are becoming available that use data science, without requiring teams of expensive data scientists,” he said. “They use big data analytics technologies like Hadoop, but in a hosted cloud environment that's more affordable and doesn't require an IT team to care and feed.”