Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

US Needs Comprehensive Policy to Combat China on IP Theft

The United States cannot lose sight of Chinese cyber operations that target intellectual property, a panel of experts says.

The United States needs a more systematic approach to engage with China on cybersecurity and intellectual property issues, and to address the ongoing theft of industrial and defensive technologies via cyberattacks, a panel of policy and technology experts stated last week.

Without good options to respond to other nations' cyber operations, the US and Western countries are at a disadvantage. While the lion's share of cyberattacks are criminal in nature, the targeting of intellectual property is eroding — and in some areas, has already eroded — the United States' technological lead. The resemblance between China's advanced fighter aircraft and the US F-35 stealth fighter underscores that China is building much of its global power on technology from the US and other countries, said US Senator Angus King Jr. (I-ME), in a keynote for the virtual panel 'Stopping IP Theft by China' hosted by the MITRE Corp.

Related Content:

'The New Normal': US Charges Chinese Military Officers With Cyber Espionage

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

"The magnitude of intellectual property theft over the past decade has been staggering, into the billions, probably the trillions," said the senator, who co-chaired the Cyberspace Solarium Commission, a bipartisan effort to create policy recommendations for cyberspace. "And it has, I believe, powered the rise of the Chinese technology sector. [For the US,] it is not only a financial question, but a national security question, with this stealing of national security information and intellectual property that is very important to maintaining a qualitative edge for our national defense."

The Jan. 28 virtual roundtable focused on strategies for dealing with Chinese theft of intellectual property, with participants agreeing that the problem represented a fundamental threat to the US economy and its role in the world, and that a multi-pronged effort would be needed to dissuade Chinese cyber operations.

Unfortunately, the nation-state attackers have the advantage, said Lora Randolph, senior principal engineer at MITRE.

"This is an asymmetric game," she said. "The defender has to plug every possible hole, and the adversary only has to find one way in, so we are really at a disadvantage. So the goal is to really change that dynamic."

The basis for any strategy is to focus on three fundamental goals, Randolph said: Making attacks more costly for the attacker, diminishing the value of attacks, and allowing both government and private-sector organizations to benefit. 

"Our goal here is to require the Chinese government to work harder and longer to achieve their objective," she said. "And this starts with really understanding the adversary's behavior."

Starting in 2014, with the indictment of five members of the Chinese military for stealing trade secrets, the US Department of Justice has occasionally filed charges against individuals identified in intellectual property theft. The goal is to deter the individuals, vindicate the victim's interest, and create an unclassified, public record so that other agencies and international allies can take action, said panel participant Adam Hickey, deputy assistant attorney general at the US Department of Justice.

Hickey admitted that criminal prosecutions alone will not likely make a difference. The DoJ also has focused on punishing those who have benefited from stolen intellectual property to reduce the demand for stolen technologies and trade secrets.

"The gold standard of what we are trying to do is target the beneficiaries of the theft of IP," he said. "We leverage a criminal prosecution and share information for other parts of the government, so beneficiaries of the theft don't enjoy the value of it or can't profit from it."

The US must also consider the differences in how cultures approach intellectual property, said Marcus Sachs, deputy director for research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.

The concept of putting boundaries around property is very different, and Americans tend to lose that perspective, he said.

"In a globally competitive world, we have to agree to some norms of behavior, and whether that norm is an Eastern norm or a Western norm is up for debate," Sachs said. "We need to think about how we define intellectual property, just as China has to think about how they define intellectual property."

From a governmental perspective, the Trump administration implemented many of the recommendations of the Cyberspace Solarium Commission, and the Biden administration has started implementing many more, such as creating a single office for cybersecurity policy, said Senator King. 

A lot still has to be done. Structure is policy, and for cyber, the United States' messy structure has led to a messy policy, he said.

"One of the problems is that cyber, and the responsibility for cyber, is spread all over the US government," Senator King said. "It's all over the place — we have excellent silos, but they are still silos."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default beh...
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via th...