Direct diplomatic pressure, greater law enforcement engagement, promotion of better security practices by potential victims, tougher legislation, and more aggressive public awareness campaigns are some of the main approaches of the strategy announced yesterday by administration officials.
The announcement came a day after Mandiant published a detailed and highly publicized report outing the Chinese military as a major perpetrator of IP theft against the U.S. The report provided the first public disclosure of evidence of a long-suspected Chinese military link to cyberespionage against U.S. firms, tying a prolific and especially persistent cyberespionage group out of China to the People's Liberation Army. The group is responsible for attacks on at least hundreds of companies across 20 major industries, according to Mandiant's investigations into those breaches.
But it's unclear just how the Obama administration's new policy would curb the barrage of well-funded cyberespionage activity out of China, where there are deep-seeded cultural roots behind it, as well as other nations such as Russia and India, which U.S. officials also called out as culprits of this activity against the U.S. Experts say that while the administration's effort is a good first step by putting China and Russia on notice for their cyberespionage activities, it isn't likely to make much of a dent anytime soon on the epidemic of cyberspying by nation-states.
Calling out China is fraught with conflicting interests given the financial and trade ties between the two nations. "You have to separate the technical and political pieces here," says George Kurtz, CEO at CrowdStrike. "We're essentially punching our mortgage bankers in the mouth, which doesn't always go over well. But the mere fact that we are talking about [cyberespionage] and shining a light on it is going to cause some consternation on the Chinese government."
It's not just cybersecurity, Kurtz notes. "We should use all means available in law enforcement and international laws and think about how trade sanctions could be leveraged, or the threat of them, to actually back up the rhetoric we're putting out," he says of the U.S.'s new policy. "It's not going to be an easy task."
The administration's announcement comes at a time of growing concern over the economic impact of stolen intellectual property from U.S. firms and government agencies, especially as more businesses are discovering and publicly 'fessing up that they have been infiltrated by cyberespionage actors, mostly out of China.
And that could help propel the administration's new policy. "If the average American realized that all of their hard work and IP is being shipped abroad, and that tractors or cars or planes they are building are able to be duplicated and copied outside the U.S., we would have an uproar," Kurtz says. "It's not about getting your credit card swiped. It's about competitiveness of the country."
President Obama in his State of the Union speech earlier this month hinted at plans for a more aggressive policy on IP theft. "We are going to aggressively protect our intellectual property. Our single greatest asset is the innovation and the ingenuity and creativity of the American people. It is essential to our prosperity and it will only become more so in this century," he said in his address. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
At a White House event yesterday announcing the new strategy for mitigating theft of U.S. trade secrets, Attorney General Eric Holder discussed the pervasiveness of trade secret theft. "By corrupting insiders, hiring hackers, and engaging in other unscrupulous and illegal activities, these entities can inflict devastating harm on individual creators, startups, and major companies," he said. "A hacker in China can acquire source code from a software company in Virginia without leaving his or her desk. With a few keystrokes, a terminated or simply unhappy employee of a defense contractor can misappropriate designs, processes, and formulas worth billions of dollars."
[Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing. See The Globalization Of Cyberespionage. ]
But the other worst-kept secret is that the U.S. intelligence community isn't just sitting back while China infiltrates U.S. organizations. How can the U.S. navigate that balancing act while it manages its own intelligence operations? "It's legitimate for intelligence to attack each other, and militaries to attack each other," says Richard Bejtlich, CSO for Mandiant. "But when you have a military go against a private company, that's going too far. That raises the flag."
The administration's new strategy will apply coordinated diplomatic pressures on countries to discourage IP theft with a "sustained, consistent, and coordinated message from all appropriate agencies to foreign governments where there are regular incidents of trade secret theft," and to team more with international law enforcement agencies to investigate IP theft cases, according to the policy document.
Voluntary best practices by businesses is also a priority in the strategy: The administration plans to throw its weight behind industry groups that work on this. These types of voluntary best practices could encompass tighter information and physical security, as well as compartmentalizing R&D information. "The Administration encourages organizations and companies to examine internal operations and policies to determine if current approaches are mitigating the risks and factors associated with trade secret misappropriation committed by corporate and state sponsors," the administration said in its paper.
The Department of Justice and FBI will "continue to prioritize" cases involving IP theft, and the FBI is beefing up "its efforts to fight computer intrusions that involve the theft of trade secrets by individual, corporate, and nation-state cyber hackers," the policy says. Stronger U.S. legislation and more public awareness and outreach to businesses is also a key part of the strategy.
The Obama administration's "Strategy On Mitigating The Theft of U.S. Trade Secrets" document is available here (PDF) for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.