IP protection: Don’t expect government help

Security experts say last week’s agreement between U.S. President Barack Obama and Chinese President Xi Jinping could lead to a reduction in economic cyber espionage. But, they say, it is just as possible that nothing will change.

If actions – or in this case inaction – speak louder than words, the message from the U.S. government to the private sector regarding defense against cyber economic espionage by China is clear: “You’re on your own.”

That remains true, in the view of multiple experts, even after Chinese President Xi Jinping and U.S. President Barack Obama announced an agreement last week that, according to a White House press secretary Fact Sheet, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

First, the agreement refers only to the governments of both countries – not their private sectors.

Harvard Law professor Jack Goldsmith noted in a post on the Lawfare blog, “this statement leaves untouched cybertheft of IP (intellectual property) by non-governmental entities in China, including NGO cybertheft activity of which China’s government is aware (as opposed to that which it supports).”

Second, Xi has consistently denied that China engages in economic espionage to benefit its private-sector corporations. So, in essence, he is agreeing not to do something he says his nation doesn’t do anyway.

That in spite of overwhelming evidence – at least in the view of U.S. experts – that while many countries engage in economic espionage, the overwhelming majority of it against the U.S. is done by China.

[ ALSO ON CSO: Video: China makes hackers an offer they can’t refuse ]

The list of breaches is long and varied – U.S. airlines, universities, healthcare organizations, news organizations (including Forbes and The New York Times), IT giants including Google, and critical infrastructure. That doesn’t count the catastrophic hack of the federal Office of Personnel Management (OPM) that compromised the personal information of about 21 million current and former government employees, since that was presumably not aimed at stealing IP or trade secrets. And those are just a few of the publicly reported ones.

Security firm Mandiant, now a part of FireEye, reported in February 2013 on efforts by a Chinese military unit that hacked into 141 businesses, most of them in the U.S.

As Justin Harvey, CSO at Fidelis Cybersecurity, put it, “How can you deal with an adversary that categorically denies its involvement, yet continues to pilfer IP right under our noses?”


Justin Harvey, CSO, Fidelis Cybersecurity

Third, the U.S. response over the past six years from top officials including President Obama has been to make numerous threats of economic sanctions, but none of those threats has ever been carried out.

Indeed, just about a month ago there were yet more threats. The Washington Post reported that, “the Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cyber theft of valuable U.S. trade secrets.”

But, with the approach of Xi’s visit, those reports faded. There was still some strong rhetoric. U.S. National Security Adviser Susan Rice, in remarks at George Washington University, said Chinese economic cyber espionage, “undermines our long-term economic cooperation and it needs to stop.”

In a speech to the Business Roundtable before Xi’s visit, Obama again threatened sanctions.

“Industrial espionage and stealing trade secrets, stealing proprietary information from companies [is] an act of aggression that has to stop,” he said. “And we are preparing a number of measures that will indicate to the Chinese that this is not just a matter of us being mildly upset, but is something that will put significant strains on the bilateral relationship if not resolved.”

But, as the Wall Street Journal somewhat sardonically noted in a story just before Xi’s visit, the only “decisive action” the U.S. has taken in response to Chinese economic espionage on American companies has been to, “announce (that) President Obama will no longer stay at New York’s Waldorf Astoria. The hotel was bought by a Chinese insurance company with close ties to Communist Party bosses, making the risk of surveillance too great.”

Even Director of National Intelligence James Clapper has said U.S. policy on economic cyber espionage lacks, “both the substance and the psychology of deterrence.”

All this, multiple experts say, is in large measure because both nations’ economies are so heavily dependent on one another. If the U.S. imposes crippling sanctions on China, that would affect China’s economy, which would in turn depress the U.S. economy. American purchases from China have reportedly surpassed $460 billion.

Harvey noted that most of the options available to the U.S., “involve possibly hurting our trade with them.” Meanwhile, “China is addicted to our intellectual property and cannot afford to stop, especially with the volatility in their economy,” he said.

Kevin Murray, director at Murray Associates, said the reality is that, “both leaders know economics comes first.

“Waving an ‘agreement’ in the air may mollify some of their constituents,” he said, but the subtext of promising that “governments” won’t do it acknowledges the reality that they, “can't control all the rogue hackers out there. All they can say is that their governments are not behind it, and they don't condone it."


Brian Lozada, director of information security, Abacus Group

[ ALSO ON CSO: NSA chief warns cyberthreats persist despite China accord ]

William Munroe, vice president of marketing at Interset, said a relatively vague agreement is not going to overturn centuries of Chinese culture. “Stealing ideas and IP has been a part of Chinese culture for centuries, so any sanctions will likely have little to no effect, while creating economic risk,” he said.

And Brian Lozada, director of information security at Abacus Group, said given the mutual economic dependence of the two countries on one another, “regardless of whether sanctions were implemented or not, I do not believe it would deter or even slow down ongoing cyber-espionage activity.”


Brian Lozada, director of information security, Abacus Group

Hence, those experts agree that if private organizations want to protect their trade secrets and intellectual property, they are going to have to do it themselves.

And this is not an impossible task, they say. While there is no such thing as 100 percent security, they can get a lot closer simply by doing the basics.

Robyn Greene, policy counsel of the New America Foundation’s Open Technology Institute, said at a recent conference on the sharing of cyber threat information that, “90 percent (of attacks) are defensible with solutions that are already out there.”

She and other experts call it “security hygiene,” which includes hardened perimeters, strong encryption and authentication and training both technical and non-technical employees in basics like rigorous passwords, and how to spot phishing attacks.

“It shouldn't just be hard for malicious actors to break in, it should be impossible for them to understand what's there if and when they get through the door,” she said.

Harvey said he thinks too many companies are, “hiring people to support tools, instead of hiring people to use the tools. Incident response doesn't have to be the black art as it has been historically,” he said.


William Munroe, vice president of marketing, Interset

That, he added, would help decrease “dwell time” – the time from an attack to when an organization detects and responds to it. “The average dwell time in 2014 was an abysmal 205 days,” he said. “That means attackers had access to those companies' networks for more than six months.”

According to Murray, government should create what he called a “National Interest Assets (NIA) law.” That, he said, would:

  • Protect the IP timeline, from brainstorming and initial discussions to the final product or business strategy. 
  • Impose due care responsibility on the creators and holders of competitive advantage information.
  • Specify compliance requirements aimed at countering traditional business espionage practices. Those include Technical Surveillance Countermeasures Inspections (TSCM / bug sweeps), information-security audits and information-security compliance procedures.

“The cost of keeping NIA safe is infinitesimal compared to current losses, not to mention the long-term effects,” he said. “Just ask the Chinese.”

Finally, Munroe said it is important to remember that malicious insiders can do as much damage as Chinese hackers, and that the systems to protect IP are not as expensive and complex as they were.

“More affordable, off-the-shelf technologies are becoming available that use data science, without requiring teams of expensive data scientists,” he said. “They use big data analytics technologies like Hadoop, but in a hosted cloud environment that's more affordable and doesn't require an IT team to care and feed.”

Join the CSO newsletter!

Error: Please check your email address.

Tags China

More about AbacusCSOFireEyeGoogleNSATechnologyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts