Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/17/2020
02:00 PM
Eric Noonan
Eric Noonan
Commentary
100%
0%

Time for CEOs to Stop Enabling China's Blatant IP Theft

Protecting intellectual property in the name of US economic and national security should be part of every company's fiduciary duty.

Does the Chinese government steal technology from US companies? That was the question before four of the most powerful tech CEOs on the planet earlier this summer.

Jeff Bezos, Sundar Pichai, and Tim Cook all denied firsthand knowledge of such schemes. Only Mark Zuckerberg was willing to note that Chinese theft of technology from American companies was "well documented."

Zuckerberg is right, and his willingness to admit it marks a sea change in how US companies have approached business in China. That the other three dodged the question, however, shows that many businesses still value profit at all costs. 

Related Content:

Is China the World's Greatest Cyber Power?

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

What are those costs, exactly? 

In 2018, the US Trade Representative found that Chinese theft of American intellectual property (IP) costs between $225 billion and $600 billion annually. The FBI is investigating 1,000 cases of Chinese IP theft. The push for profit at all costs has resulted in lawsuits, damaged competitiveness, and if a company competes for federal government contracts — as Google and Amazon do — it can also be a matter of national security. 

The definition of shareholder value needs to shift. Instead of pursuit of profit at any cost, protecting IP in the name of US economic and national security should be part of every company's fiduciary duty to shareholders. And that means shutting the door on China's rampant hacking and theft of US companies' technology. Too many companies are still either ignorant or neglectful of their cybersecurity. 

Here are two ways we can change that and better guard American innovation from the Chinese hackers working so diligently to steal it.  

Transform the Boardroom
When you look at board member profiles, it's rare to see anyone with any kind of IT savvy, let alone a cybersecurity background. With all the press around data breaches and advanced persistent threats, with the results of these attacks starting to show up in public filings, it's clear cybersecurity should not only be a board-level concern but should influence the very composition of the board. 

Instead of having a CISO show up quarterly to offer the board a report, companies should have a former CISO on the board. Perhaps there should even be a requirement that public companies have at least one member of the board with deep expertise in cybersecurity. 

Lacking that board-level expertise leaves many businesses ignorant of one of the biggest risks they face: A cyberattack that not only disrupts the business but results in the loss of IP. 

Take a New Perspective on Compliance
Multinational businesses are drowning in regulatory requirements from GDPR and CCPA to PCI DSS and the new CMMC. From international rules to state data breach laws, companies have so much to comply with that they develop a check-box mentality around cybersecurity. 

The philosophy is that if they follow the rules and pass their audits, they're fine. If a company has a credit card breach, it can produce five years of successful PCI DSS audits to show it did what it was supposed to do. This is a focus on compliance for compliance's sake, instead of on actual operational security. 

The two don't have to be mutually exclusive, but it does take thought and effort to align day-to-day operations with compliance. The board often doesn't see the gulf between the two. They see red, yellow, and green on a presentation slide about compliance and ask questions about the speed of audits. With more cybersecurity expertise on that board, it can start digging deeper and support the marriage of regulatory compliance with day-to-day operations. 

Why Protecting IP Is the New Imperative
Whether by ignorance or negligence, many American companies have become victims of China's IP theft. But a desire for profits over protection may be reaching its end. 

The world is waking up to the blatant IP theft China has perpetrated for years and the damage it leaves in its wake. If you're not working to harden your security, to ensure your board has at least one member who's an expert in cybersecurity, and to ensure compliance isn't just a checked box but an operational security stance, you're ultimately not serving your stakeholders, your business, or your country.

Eric is CEO for CyberSheath Services International, LLC and is a respected cybersecurity expert having testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities and served on the Council on Cyber Security expert panel to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...