Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/17/2020
02:00 PM
Eric Noonan
Eric Noonan
Commentary
100%
0%

Time for CEOs to Stop Enabling China's Blatant IP Theft

Protecting intellectual property in the name of US economic and national security should be part of every company's fiduciary duty.

Does the Chinese government steal technology from US companies? That was the question before four of the most powerful tech CEOs on the planet earlier this summer.

Jeff Bezos, Sundar Pichai, and Tim Cook all denied firsthand knowledge of such schemes. Only Mark Zuckerberg was willing to note that Chinese theft of technology from American companies was "well documented."

Zuckerberg is right, and his willingness to admit it marks a sea change in how US companies have approached business in China. That the other three dodged the question, however, shows that many businesses still value profit at all costs. 

Related Content:

Is China the World's Greatest Cyber Power?

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

What are those costs, exactly? 

In 2018, the US Trade Representative found that Chinese theft of American intellectual property (IP) costs between $225 billion and $600 billion annually. The FBI is investigating 1,000 cases of Chinese IP theft. The push for profit at all costs has resulted in lawsuits, damaged competitiveness, and if a company competes for federal government contracts — as Google and Amazon do — it can also be a matter of national security. 

The definition of shareholder value needs to shift. Instead of pursuit of profit at any cost, protecting IP in the name of US economic and national security should be part of every company's fiduciary duty to shareholders. And that means shutting the door on China's rampant hacking and theft of US companies' technology. Too many companies are still either ignorant or neglectful of their cybersecurity. 

Here are two ways we can change that and better guard American innovation from the Chinese hackers working so diligently to steal it.  

Transform the Boardroom
When you look at board member profiles, it's rare to see anyone with any kind of IT savvy, let alone a cybersecurity background. With all the press around data breaches and advanced persistent threats, with the results of these attacks starting to show up in public filings, it's clear cybersecurity should not only be a board-level concern but should influence the very composition of the board. 

Instead of having a CISO show up quarterly to offer the board a report, companies should have a former CISO on the board. Perhaps there should even be a requirement that public companies have at least one member of the board with deep expertise in cybersecurity. 

Lacking that board-level expertise leaves many businesses ignorant of one of the biggest risks they face: A cyberattack that not only disrupts the business but results in the loss of IP. 

Take a New Perspective on Compliance
Multinational businesses are drowning in regulatory requirements from GDPR and CCPA to PCI DSS and the new CMMC. From international rules to state data breach laws, companies have so much to comply with that they develop a check-box mentality around cybersecurity. 

The philosophy is that if they follow the rules and pass their audits, they're fine. If a company has a credit card breach, it can produce five years of successful PCI DSS audits to show it did what it was supposed to do. This is a focus on compliance for compliance's sake, instead of on actual operational security. 

The two don't have to be mutually exclusive, but it does take thought and effort to align day-to-day operations with compliance. The board often doesn't see the gulf between the two. They see red, yellow, and green on a presentation slide about compliance and ask questions about the speed of audits. With more cybersecurity expertise on that board, it can start digging deeper and support the marriage of regulatory compliance with day-to-day operations. 

Why Protecting IP Is the New Imperative
Whether by ignorance or negligence, many American companies have become victims of China's IP theft. But a desire for profits over protection may be reaching its end. 

The world is waking up to the blatant IP theft China has perpetrated for years and the damage it leaves in its wake. If you're not working to harden your security, to ensure your board has at least one member who's an expert in cybersecurity, and to ensure compliance isn't just a checked box but an operational security stance, you're ultimately not serving your stakeholders, your business, or your country.

Eric is CEO for CyberSheath Services International, LLC and is a respected cybersecurity expert having testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities and served on the Council on Cyber Security expert panel to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.