Risk
5/8/2013
05:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions

China faces increasing political pressure from the U.S. to curb its cyberespionage activity, but legislation not certain

In a week that began with the rare move of the Pentagon calling out the Chinese government and military for attacks on U.S. government networks, some key senators have drafted a bill that would create a watch list of nations conducting cyberespionage against the U.S., and spell out just what technologies and products are being stolen -- as well as which foreign firms benefit from the intellectual property stolen from the U.S.

The bipartisan bill, co-sponsored by Sens. Carl Levin, D-Mich.; John McCain, R-Ariz.; Jay Rockefeller, D-W.Va.; and Tom Coburn, R-Okla., is the latest move by the U.S. to ratchet up pressure on China, which has been outed as one of the world's biggest cyberespionage actors. China, in typical fashion, yesterday shot down the Defense Department's claims of cyberspying, calling them "irresponsible and harmful" and denying any state-sanctioned hacking.

The Deter Cyber Theft Act specifically requires that the U.S. National Director of Intelligence to create a "watch list" of nations engaged in cyberespionage activity against the U.S. and a priority list of the "worst offenders." It also calls for an accounting of the U.S. technologies or IP that were targeted, as well as a list of stolen information and the resulting products the information helped build, plus a list of the foreign companies that "benefit from such theft."

Under the bill, the president would block the import of products that contain stolen U.S. intellectual property as well as products from state-owned companies on the priority watch list.

"It is time that we fought back to protect American businesses and American innovation," said Sen. Levin, the chairman of the Senate Armed Services Committee, in a statement. "We need to call out those who are responsible for cyber theft and empower the president to hit the thieves where it hurts most – in their wallets, by blocking imports of products or from companies that benefit from this theft."

But legal experts say passage of The Deter Cyber Theft Act is no sure thing, especially after Congress's failure to pass a cybersecurity bill last year. But ever since the release of the Mandiant report in February, which offered the first real evidence of a long-suspected Chinese military link to cyberespionage against U.S. firms, Chinese cyberespionage has been all the talk in Washington. So the timing may be better for this bill, says Stewart Baker, partner in the Washington office of Steptoe & Johnson LLP and a former Department of Homeland security official.

"This is potentially a big deal for two reasons: First, it is an effort at deterrence of cyberespionage, which is quite different," Baker says. "Second ... it's a very serious potential sanction, saying they are going to refuse permitting imports from products from state-owned enterprises that are benefiting from cyberespionage. That could transform many markets."

The devil's in the details, of course. Just how the feds would be able to procure evidence of a foreign company benefiting from stolen U.S. intellectual property is unclear, Baker notes. "There are also uncertainties on how evidence can be obtained and whether the president is really willing to disrupt trade in that way. But it puts a very big card on the table."

Kristen Verderame, CEO of Pondera International and an attorney, is skeptical the Senate bill has a chance of passing, and says she thinks the sponsors didn't necessarily expect it to, either. "I don't think it was intended to go anywhere necessarily. It was to put a marker in the road," Verderame says. If the sponsors were confident they could pass actual legislation, they would have pulled together other committees and stakeholders, she says.

"These guys are passionate about cybersecurity. They want to do something. They feel like they need to make a statement and show they are serious about cybersecurity," she says. "In terms of any realistic hopes of anything passing [at this time], it's pretty slim."

Congress is still reeling from the failed attempts at a national cybersecurity law, and there just isn't the sufficient climate for getting the latest bill through, either. "Last year, [cyberespionage] was fresh and new. People are getting tired, so now it's turning to China-bashing," Verderame says.

Even so, she says, the more discussion and attention given the cyberespionage problem, the better. "The more noise out there, the better it is" for stronger action, she says.

[New research from multiple sources illustrates dominant role of China in cyberespionage. See Chinese Cyberespionage: Brazen, Prolific, And Persistent.]

Chinese actor groups made up 96 percent of all cyberespionage cases investigated last year, according to Verizon's latest Data Breach Investigations Report. About one-fifth of all breaches in the report were Chinese cyberesionage-based.

"Our economic prosperity and national security depend on bolstering our cybersecurity, and this bill is a crucial component of that effort," bill co-sponsor Sen. Rockefeller said in a statement. "We must cut the demand for stolen trade secrets by holding countries who engage in cyber theft accountable for their illegal activities and by preventing products that use stolen information from entering the U.S. market. Alongside other cybersecurity priorities – including stronger cybersecurity standards, cyber workforce training, R&D, and public-private information sharing -- this bill to elevate cyber theft as a national security priority is a major step forward for American workers, American businesses, and American ingenuity."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
6/16/2013 | 2:55:03 PM
re: Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions
I am very certain
that the Department of Defense would make a claim without full evidence of
backing up their claim. Furthermore DOD would not be so bold as to accuse
another government of cyber espionage. I
am surprised that there is currently not s list that exist already, sort of
troubling donG«÷t you think? I do love the idea of starting top protect the
American peoples intellectual property from being stolen and also profited from
theft.

Paul Sprague

InformationWeek Contributor
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
5/11/2013 | 7:12:49 PM
re: Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions
What "bills like this"? Some have been waiting for decades for a "bill like this"! Why would a bill defining the origins of "cybertheft" be "bad for Americans"? What is truly "bad for Americans" is being targeted and stolen from. Your statement assumes that there are no mechanisms in place for determining routing and rerouting, something that would have been partially handled by Net Neutrality, had it passed.

Americans deserve to be free from intruders and cyber criminals. The United States seriously needs an accounting of these crimes and a way to redress grievances. Imposing a block on stolen goods will be at least some form of justice. Obviously, you have not read the Mandiant report, which supplied effective proof of not only the origins of cybercrime originating from the Chinese military compound in Shanghai, China, but also discovered the real names, IP addresses, email addresses and physical addresses of the 3 Chinese military personnel who accomplished the Chinese cyberspying mission against the United States.
PanicFox
50%
50%
PanicFox,
User Rank: Apprentice
5/10/2013 | 12:26:42 AM
re: Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions
This is bad.
This "Deter Cyber Theft" bill will only place restrictions on the people of america, as bills like this always have.
Not only that, IP's do not equal persons, and with this, someone routing an IP through a remote country and attacking America would cause America to respond to said country.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.