Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

US Needs Comprehensive Policy to Combat China on IP Theft

The United States cannot lose sight of Chinese cyber operations that target intellectual property, a panel of experts says.

The United States needs a more systematic approach to engage with China on cybersecurity and intellectual property issues, and to address the ongoing theft of industrial and defensive technologies via cyberattacks, a panel of policy and technology experts stated last week.

Without good options to respond to other nations' cyber operations, the US and Western countries are at a disadvantage. While the lion's share of cyberattacks are criminal in nature, the targeting of intellectual property is eroding — and in some areas, has already eroded — the United States' technological lead. The resemblance between China's advanced fighter aircraft and the US F-35 stealth fighter underscores that China is building much of its global power on technology from the US and other countries, said US Senator Angus King Jr. (I-ME), in a keynote for the virtual panel 'Stopping IP Theft by China' hosted by the MITRE Corp.

Related Content:

'The New Normal': US Charges Chinese Military Officers With Cyber Espionage

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

"The magnitude of intellectual property theft over the past decade has been staggering, into the billions, probably the trillions," said the senator, who co-chaired the Cyberspace Solarium Commission, a bipartisan effort to create policy recommendations for cyberspace. "And it has, I believe, powered the rise of the Chinese technology sector. [For the US,] it is not only a financial question, but a national security question, with this stealing of national security information and intellectual property that is very important to maintaining a qualitative edge for our national defense."

The Jan. 28 virtual roundtable focused on strategies for dealing with Chinese theft of intellectual property, with participants agreeing that the problem represented a fundamental threat to the US economy and its role in the world, and that a multi-pronged effort would be needed to dissuade Chinese cyber operations.

Unfortunately, the nation-state attackers have the advantage, said Lora Randolph, senior principal engineer at MITRE.

"This is an asymmetric game," she said. "The defender has to plug every possible hole, and the adversary only has to find one way in, so we are really at a disadvantage. So the goal is to really change that dynamic."

The basis for any strategy is to focus on three fundamental goals, Randolph said: Making attacks more costly for the attacker, diminishing the value of attacks, and allowing both government and private-sector organizations to benefit. 

"Our goal here is to require the Chinese government to work harder and longer to achieve their objective," she said. "And this starts with really understanding the adversary's behavior."

Starting in 2014, with the indictment of five members of the Chinese military for stealing trade secrets, the US Department of Justice has occasionally filed charges against individuals identified in intellectual property theft. The goal is to deter the individuals, vindicate the victim's interest, and create an unclassified, public record so that other agencies and international allies can take action, said panel participant Adam Hickey, deputy assistant attorney general at the US Department of Justice.

Hickey admitted that criminal prosecutions alone will not likely make a difference. The DoJ also has focused on punishing those who have benefited from stolen intellectual property to reduce the demand for stolen technologies and trade secrets.

"The gold standard of what we are trying to do is target the beneficiaries of the theft of IP," he said. "We leverage a criminal prosecution and share information for other parts of the government, so beneficiaries of the theft don't enjoy the value of it or can't profit from it."

The US must also consider the differences in how cultures approach intellectual property, said Marcus Sachs, deputy director for research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.

The concept of putting boundaries around property is very different, and Americans tend to lose that perspective, he said.

"In a globally competitive world, we have to agree to some norms of behavior, and whether that norm is an Eastern norm or a Western norm is up for debate," Sachs said. "We need to think about how we define intellectual property, just as China has to think about how they define intellectual property."

From a governmental perspective, the Trump administration implemented many of the recommendations of the Cyberspace Solarium Commission, and the Biden administration has started implementing many more, such as creating a single office for cybersecurity policy, said Senator King. 

A lot still has to be done. Structure is policy, and for cyber, the United States' messy structure has led to a messy policy, he said.

"One of the problems is that cyber, and the responsibility for cyber, is spread all over the US government," Senator King said. "It's all over the place — we have excellent silos, but they are still silos."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10062
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
CVE-2020-23995
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
CVE-2020-23996
PUBLISHED: 2021-05-13
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
CVE-2021-29510
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
CVE-2021-23906
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.