Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/17/2020
02:00 PM
Eric Noonan
Eric Noonan
Commentary
100%
0%

Time for CEOs to Stop Enabling China's Blatant IP Theft

Protecting intellectual property in the name of US economic and national security should be part of every company's fiduciary duty.

Does the Chinese government steal technology from US companies? That was the question before four of the most powerful tech CEOs on the planet earlier this summer.

Jeff Bezos, Sundar Pichai, and Tim Cook all denied firsthand knowledge of such schemes. Only Mark Zuckerberg was willing to note that Chinese theft of technology from American companies was "well documented."

Zuckerberg is right, and his willingness to admit it marks a sea change in how US companies have approached business in China. That the other three dodged the question, however, shows that many businesses still value profit at all costs. 

Related Content:

Is China the World's Greatest Cyber Power?

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

What are those costs, exactly? 

In 2018, the US Trade Representative found that Chinese theft of American intellectual property (IP) costs between $225 billion and $600 billion annually. The FBI is investigating 1,000 cases of Chinese IP theft. The push for profit at all costs has resulted in lawsuits, damaged competitiveness, and if a company competes for federal government contracts — as Google and Amazon do — it can also be a matter of national security. 

The definition of shareholder value needs to shift. Instead of pursuit of profit at any cost, protecting IP in the name of US economic and national security should be part of every company's fiduciary duty to shareholders. And that means shutting the door on China's rampant hacking and theft of US companies' technology. Too many companies are still either ignorant or neglectful of their cybersecurity. 

Here are two ways we can change that and better guard American innovation from the Chinese hackers working so diligently to steal it.  

Transform the Boardroom
When you look at board member profiles, it's rare to see anyone with any kind of IT savvy, let alone a cybersecurity background. With all the press around data breaches and advanced persistent threats, with the results of these attacks starting to show up in public filings, it's clear cybersecurity should not only be a board-level concern but should influence the very composition of the board. 

Instead of having a CISO show up quarterly to offer the board a report, companies should have a former CISO on the board. Perhaps there should even be a requirement that public companies have at least one member of the board with deep expertise in cybersecurity. 

Lacking that board-level expertise leaves many businesses ignorant of one of the biggest risks they face: A cyberattack that not only disrupts the business but results in the loss of IP. 

Take a New Perspective on Compliance
Multinational businesses are drowning in regulatory requirements from GDPR and CCPA to PCI DSS and the new CMMC. From international rules to state data breach laws, companies have so much to comply with that they develop a check-box mentality around cybersecurity. 

The philosophy is that if they follow the rules and pass their audits, they're fine. If a company has a credit card breach, it can produce five years of successful PCI DSS audits to show it did what it was supposed to do. This is a focus on compliance for compliance's sake, instead of on actual operational security. 

The two don't have to be mutually exclusive, but it does take thought and effort to align day-to-day operations with compliance. The board often doesn't see the gulf between the two. They see red, yellow, and green on a presentation slide about compliance and ask questions about the speed of audits. With more cybersecurity expertise on that board, it can start digging deeper and support the marriage of regulatory compliance with day-to-day operations. 

Why Protecting IP Is the New Imperative
Whether by ignorance or negligence, many American companies have become victims of China's IP theft. But a desire for profits over protection may be reaching its end. 

The world is waking up to the blatant IP theft China has perpetrated for years and the damage it leaves in its wake. If you're not working to harden your security, to ensure your board has at least one member who's an expert in cybersecurity, and to ensure compliance isn't just a checked box but an operational security stance, you're ultimately not serving your stakeholders, your business, or your country.

Eric is CEO for CyberSheath Services International, LLC and is a respected cybersecurity expert having testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities and served on the Council on Cyber Security expert panel to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27974
PUBLISHED: 2020-10-28
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
CVE-2020-27975
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
CVE-2020-27976
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
CVE-2020-27978
PUBLISHED: 2020-10-28
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
CVE-2020-22552
PUBLISHED: 2020-10-28
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.