Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/8/2013
05:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions

China faces increasing political pressure from the U.S. to curb its cyberespionage activity, but legislation not certain

In a week that began with the rare move of the Pentagon calling out the Chinese government and military for attacks on U.S. government networks, some key senators have drafted a bill that would create a watch list of nations conducting cyberespionage against the U.S., and spell out just what technologies and products are being stolen -- as well as which foreign firms benefit from the intellectual property stolen from the U.S.

The bipartisan bill, co-sponsored by Sens. Carl Levin, D-Mich.; John McCain, R-Ariz.; Jay Rockefeller, D-W.Va.; and Tom Coburn, R-Okla., is the latest move by the U.S. to ratchet up pressure on China, which has been outed as one of the world's biggest cyberespionage actors. China, in typical fashion, yesterday shot down the Defense Department's claims of cyberspying, calling them "irresponsible and harmful" and denying any state-sanctioned hacking.

The Deter Cyber Theft Act specifically requires that the U.S. National Director of Intelligence to create a "watch list" of nations engaged in cyberespionage activity against the U.S. and a priority list of the "worst offenders." It also calls for an accounting of the U.S. technologies or IP that were targeted, as well as a list of stolen information and the resulting products the information helped build, plus a list of the foreign companies that "benefit from such theft."

Under the bill, the president would block the import of products that contain stolen U.S. intellectual property as well as products from state-owned companies on the priority watch list.

"It is time that we fought back to protect American businesses and American innovation," said Sen. Levin, the chairman of the Senate Armed Services Committee, in a statement. "We need to call out those who are responsible for cyber theft and empower the president to hit the thieves where it hurts most – in their wallets, by blocking imports of products or from companies that benefit from this theft."

But legal experts say passage of The Deter Cyber Theft Act is no sure thing, especially after Congress's failure to pass a cybersecurity bill last year. But ever since the release of the Mandiant report in February, which offered the first real evidence of a long-suspected Chinese military link to cyberespionage against U.S. firms, Chinese cyberespionage has been all the talk in Washington. So the timing may be better for this bill, says Stewart Baker, partner in the Washington office of Steptoe & Johnson LLP and a former Department of Homeland security official.

"This is potentially a big deal for two reasons: First, it is an effort at deterrence of cyberespionage, which is quite different," Baker says. "Second ... it's a very serious potential sanction, saying they are going to refuse permitting imports from products from state-owned enterprises that are benefiting from cyberespionage. That could transform many markets."

The devil's in the details, of course. Just how the feds would be able to procure evidence of a foreign company benefiting from stolen U.S. intellectual property is unclear, Baker notes. "There are also uncertainties on how evidence can be obtained and whether the president is really willing to disrupt trade in that way. But it puts a very big card on the table."

Kristen Verderame, CEO of Pondera International and an attorney, is skeptical the Senate bill has a chance of passing, and says she thinks the sponsors didn't necessarily expect it to, either. "I don't think it was intended to go anywhere necessarily. It was to put a marker in the road," Verderame says. If the sponsors were confident they could pass actual legislation, they would have pulled together other committees and stakeholders, she says.

"These guys are passionate about cybersecurity. They want to do something. They feel like they need to make a statement and show they are serious about cybersecurity," she says. "In terms of any realistic hopes of anything passing [at this time], it's pretty slim."

Congress is still reeling from the failed attempts at a national cybersecurity law, and there just isn't the sufficient climate for getting the latest bill through, either. "Last year, [cyberespionage] was fresh and new. People are getting tired, so now it's turning to China-bashing," Verderame says.

Even so, she says, the more discussion and attention given the cyberespionage problem, the better. "The more noise out there, the better it is" for stronger action, she says.

[New research from multiple sources illustrates dominant role of China in cyberespionage. See Chinese Cyberespionage: Brazen, Prolific, And Persistent.]

Chinese actor groups made up 96 percent of all cyberespionage cases investigated last year, according to Verizon's latest Data Breach Investigations Report. About one-fifth of all breaches in the report were Chinese cyberesionage-based.

"Our economic prosperity and national security depend on bolstering our cybersecurity, and this bill is a crucial component of that effort," bill co-sponsor Sen. Rockefeller said in a statement. "We must cut the demand for stolen trade secrets by holding countries who engage in cyber theft accountable for their illegal activities and by preventing products that use stolen information from entering the U.S. market. Alongside other cybersecurity priorities – including stronger cybersecurity standards, cyber workforce training, R&D, and public-private information sharing -- this bill to elevate cyber theft as a national security priority is a major step forward for American workers, American businesses, and American ingenuity."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
6/16/2013 | 2:55:03 PM
re: Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions
I am very certain
that the Department of Defense would make a claim without full evidence of
backing up their claim. Furthermore DOD would not be so bold as to accuse
another government of cyber espionage. I
am surprised that there is currently not s list that exist already, sort of
troubling donGt you think? I do love the idea of starting top protect the
American peoples intellectual property from being stolen and also profited from
theft.

Paul Sprague

InformationWeek Contributor
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
5/11/2013 | 7:12:49 PM
re: Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions
What "bills like this"? Some have been waiting for decades for a "bill like this"! Why would a bill defining the origins of "cybertheft" be "bad for Americans"? What is truly "bad for Americans" is being targeted and stolen from. Your statement assumes that there are no mechanisms in place for determining routing and rerouting, something that would have been partially handled by Net Neutrality, had it passed.

Americans deserve to be free from intruders and cyber criminals. The United States seriously needs an accounting of these crimes and a way to redress grievances. Imposing a block on stolen goods will be at least some form of justice. Obviously, you have not read the Mandiant report, which supplied effective proof of not only the origins of cybercrime originating from the Chinese military compound in Shanghai, China, but also discovered the real names, IP addresses, email addresses and physical addresses of the 3 Chinese military personnel who accomplished the Chinese cyberspying mission against the United States.
PanicFox
50%
50%
PanicFox,
User Rank: Apprentice
5/10/2013 | 12:26:42 AM
re: Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions
This is bad.
This "Deter Cyber Theft" bill will only place restrictions on the people of america, as bills like this always have.
Not only that, IP's do not equal persons, and with this, someone routing an IP through a remote country and attacking America would cause America to respond to said country.
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
A Patriotic Solution to the Cybersecurity Skills Shortage
Adam Benson, Senior VP, Vrge Strategies,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.