The United States has made it clear to China that its cyber-espionage activities are a serious concern.The Washington Post reported this week that several US military weapons systems and technologies have been compromised by Chinese hackers, according to the Defense Science Board. As alarming as that news is, China’s cyber-spying attacks are also bombarding US businesses.
If the US wishes to stop this Chinese economic cyber-espionage, it will need to increase the costs and reduce the benefits of such activities. That will cause China and other competitors to rethink whether such activities are worth it. Government actions are important, but the key players in this game sit in the private sector. A true public-private partnership is needed.
The threat of Chinese cyberspying to US businesses is clear. A report released last week by the Commission on the Theft of American Intellectual Property states that: “China is two-thirds of the intellectual property theft problem, and we are at a point where it is robbing us of innovation to bolster their own industry, at a cost of millions of jobs.”What makes the US-China dispute unique is that the two countries are playing a game – spy vs. spy – that is accepted in international relations, but they are playing it by different rules.
The US government views espionage as a national security activity, not as a tool for furthering the economic well-being of US companies. In contrast, China views the well-being of its companies as being directly tied to the security interests of the nation. In their minds, drawing a line between espionage focused on stealing state secrets and espionage focused on stealing corporate secrets is arbitrary. China is not the only country that has such views. However, the scale and scope of Chinese activity is unparalleled, and the potential threat it poses to US competitiveness is certainly raising the eyebrows, if the not hackles, of the nation’s highest leaders.
Because of this fundamental difference in the acceptability of state-sponsored cyber-economic espionage, the United States will be hard pressed to stop such activities with words alone. The US will need to raise the costs and lower the benefits of such activities. There are several policy levers that the US government can use to achieve those goals, though changing China’s fundamental views through government actions alone will be difficult.
For example, the US government can threaten retaliatory actions, be they economic, diplomatic, legal, or technical in nature. For example, the US could impose economic sanctions or deny visasto suspected cyberspies and/or their enablers.There are certainly benefits to pursuing these ideas, but US options will be limited because of the trade-offs involved in increasing tensions with its largest trading partner. If China truly views economic espionage as a national security matter, if will strongly resist efforts to curtail such activity, especially if it views the US position as being hypocritical. The US may thus risk retaliatory actions on American companies or citizens if it pushes too hard on this issue.
A more powerful option is for the US government to help industry lower the value that China gains from its activities. This can be done in three ways. First, the US government must provide companies with actionable intelligence that they can use to protect their networks. The Cyber Executive Order – a policy document issued by the White House in February – declared that the federal government will make such information increasingly available to critical infrastructures like power plants and major financial institutions.
However, much of the cyber-espionage occurring today targets organizations, including professional services firms and innovative start-ups, that do not fall under the Cyber Executive Order’s provision. The US Department of Homeland Security needs to use its authority to incentivize and enable the creation of trusted federations of companies, like the Advanced Cyber Security Center in Massachusetts, that share cyberthreat information and best practices for cyberprotection.By sharing what they know, companies can shed light on the tactics that the Chinese are using – to the benefit of all.
Second, government agencies must incentivize companies to take actions that improve their cybersecurity. Numerous studies have shown that most companies fail to effectively implement even the most basic cybersecurity controls such as patching known vulnerabilities and limiting the number of users with administrative privileges. Such controls will not stop advanced attacks, but they can make cyberspies work harder. And by stopping lower-level attacks with these controls, they can free up corporate resources to address more sophisticated attacks.
In addition, information sharing will provide little benefit unless companies have the people and processes to use that information effectively. Financial incentives, such as tax breaks and fines, may be the best tools for changing corporate decisionmaking on this issue, but all options should be explored.
Finally, the US government needs to clarify the legal framework that delineates what kinds of “active defenses” are permissible under different circumstances. In particular, the Computer Fraud and Abuse Act needs to be updated to better reflect the circumstances that companies face today. For example, it may be necessary to clarify what actions companies can take to track the theft of their intellectual property outside of corporate networks. All nations spy on each other, but right now, the United States and China are playing the spy-vs.-spy game using different sets of rules. If the US wants China to change its behavior, it will need to change the payoff that China gets from playing the game its way.