June 4 2013
It's Time for the U.S. to Deal with Cyber-Espionage
Carrie L. Lukas
Cyberwarfare and corporate espionage sound like the basis of a good summer beach read: the perfect escape from the too-gloomy realities of an economy that continues to sputter, leaving millions of Americans out of work and millions more underemployed. Yet Americans should be aware that far from fiction, industrial espionage has become a common occurrence and one that adds heavily to our economic woes.
The numbers involved are staggering. The director of the National Security Agency, Gen. Keith Alexander, called cybercrime "the greatest transfer of wealth in history." The price tag for intellectual property theft from U.S. companies is at least $250 billion a year. That's far more than what businesses pay in federal corporate income taxes.
Imagine what recouping those lost billions would mean to our economy and American workers: More jobs, higher pay, and lower prices would be the immediate result. It would also mean more innovation and a higher standard of living in the future. Today, business leaders have reason to be reluctant to invest scarce resources on research and development since that information and innovation may be stolen before they can bring new products to market. Without the specter of this crime, more money would be invested in identifying new technologies and medical breakthroughs that would make our lives healthier and richer.
Of course, there is no way that America can identify, let alone stop, every cyberhacker. Yet cyber-espionage isn't primarily just the work of entrepreneurial, tech-savvy criminals. Much of the dirty work is done by state-sponsored cyberspies, who are purposefully draining information from vital U.S. infrastructure systems and businesses.
The Virginia-based cyber security firm Mandiant recently released a report detailing one source of persistent cyber attacks, the Chinese People's Liberation Army. Mandiant estimates that since 2006, a single Chinese army cyberattack unit has compromised "141 companies spanning 20 major industries, from information technology and telecommunications to aerospace and energy," using a "well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property."
Mandiant explains that once these hackers have infiltrated an organization's system, they "periodically revisit the victim's network ... and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists". On average, access to a victimized network is maintained for nearly a year.
Unsurprisingly, it's not just businesses that are hemorrhaging proprietary information and losing vast amounts of wealth as a result of these attacks. The United States government is a frequent victim, and national security, rather than just dollars, is often a casualty.
The General Accounting Office found that in 2012 federal agencies reported 46,562 cyber security incidents. That's a big uptick from 5,503 incidents in 2006. GAO concludes that such attacks "have placed sensitive information at risk, with potentially serious impacts on federal and military operation; critical infrastructure; and confidentiality, integrity, and availability of sensitive government, private sector, and personal information." GAO also details how federal agencies across the board have been insufficient in creating plans to deter, detect and address such cyber threats.
In a rare bipartisan move, the Senate is advancing legislation designed to give the federal government more leverage to discourage the practice. The Deter Cyber Theft Act, sponsored by Democrats Carl Levin of Michigan and Jay Rockefeller of West Virginia and Republicans John McCain of Arizona and Tom Coburn of Oklahoma, would require the director of national intelligence to provide an annual report to Congress on the countries engaged in and supporting these activities, the companies and technologies that have been compromised, and the products and services being sold using stolen information. The report would include a watch list of the countries most involved in supporting intellectual property theft, and the president would be charged with holding offending countries accountable, by blocking the importation of products utilizing stolen information created by state-owned enterprises of priority countries.
Such power would be an important step toward discouraging these costly crimes, without giving up the goal of encouraging legitimate international commerce. After all, trade between countries is enriching, and the American people benefit from the ability to buy and sell products worldwide. However, Americans deserve to have their property rights – including their intellectual property rights – protected. Just as our government wouldn't tolerate the seizure of ships transporting our goods to market, it shouldn't tolerate theft that occurs in cyberspace.
Americans may enjoy a good spy story, but the saga of adversaries draining intellectual property from American companies is one that needs to come to an end.