Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/17/2020
02:00 PM
Eric Noonan
Eric Noonan
Commentary
100%
0%

Time for CEOs to Stop Enabling China's Blatant IP Theft

Protecting intellectual property in the name of US economic and national security should be part of every company's fiduciary duty.

Does the Chinese government steal technology from US companies? That was the question before four of the most powerful tech CEOs on the planet earlier this summer.

Jeff Bezos, Sundar Pichai, and Tim Cook all denied firsthand knowledge of such schemes. Only Mark Zuckerberg was willing to note that Chinese theft of technology from American companies was "well documented."

Zuckerberg is right, and his willingness to admit it marks a sea change in how US companies have approached business in China. That the other three dodged the question, however, shows that many businesses still value profit at all costs. 

Related Content:

Is China the World's Greatest Cyber Power?

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

What are those costs, exactly? 

In 2018, the US Trade Representative found that Chinese theft of American intellectual property (IP) costs between $225 billion and $600 billion annually. The FBI is investigating 1,000 cases of Chinese IP theft. The push for profit at all costs has resulted in lawsuits, damaged competitiveness, and if a company competes for federal government contracts — as Google and Amazon do — it can also be a matter of national security. 

The definition of shareholder value needs to shift. Instead of pursuit of profit at any cost, protecting IP in the name of US economic and national security should be part of every company's fiduciary duty to shareholders. And that means shutting the door on China's rampant hacking and theft of US companies' technology. Too many companies are still either ignorant or neglectful of their cybersecurity. 

Here are two ways we can change that and better guard American innovation from the Chinese hackers working so diligently to steal it.  

Transform the Boardroom
When you look at board member profiles, it's rare to see anyone with any kind of IT savvy, let alone a cybersecurity background. With all the press around data breaches and advanced persistent threats, with the results of these attacks starting to show up in public filings, it's clear cybersecurity should not only be a board-level concern but should influence the very composition of the board. 

Instead of having a CISO show up quarterly to offer the board a report, companies should have a former CISO on the board. Perhaps there should even be a requirement that public companies have at least one member of the board with deep expertise in cybersecurity. 

Lacking that board-level expertise leaves many businesses ignorant of one of the biggest risks they face: A cyberattack that not only disrupts the business but results in the loss of IP. 

Take a New Perspective on Compliance
Multinational businesses are drowning in regulatory requirements from GDPR and CCPA to PCI DSS and the new CMMC. From international rules to state data breach laws, companies have so much to comply with that they develop a check-box mentality around cybersecurity. 

The philosophy is that if they follow the rules and pass their audits, they're fine. If a company has a credit card breach, it can produce five years of successful PCI DSS audits to show it did what it was supposed to do. This is a focus on compliance for compliance's sake, instead of on actual operational security. 

The two don't have to be mutually exclusive, but it does take thought and effort to align day-to-day operations with compliance. The board often doesn't see the gulf between the two. They see red, yellow, and green on a presentation slide about compliance and ask questions about the speed of audits. With more cybersecurity expertise on that board, it can start digging deeper and support the marriage of regulatory compliance with day-to-day operations. 

Why Protecting IP Is the New Imperative
Whether by ignorance or negligence, many American companies have become victims of China's IP theft. But a desire for profits over protection may be reaching its end. 

The world is waking up to the blatant IP theft China has perpetrated for years and the damage it leaves in its wake. If you're not working to harden your security, to ensure your board has at least one member who's an expert in cybersecurity, and to ensure compliance isn't just a checked box but an operational security stance, you're ultimately not serving your stakeholders, your business, or your country.

Eric is CEO for CyberSheath Services International, LLC and is a respected cybersecurity expert having testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities and served on the Council on Cyber Security expert panel to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25316
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
CVE-2021-28797
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (an...
CVE-2020-36323
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
CVE-2021-31162
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
CVE-2017-20004
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.