The United States needs a more systematic approach to engage with China on cybersecurity and intellectual property issues, and to address the ongoing theft of industrial and defensive technologies via cyberattacks, a panel of policy and technology experts stated last week.
Without good options to respond to other nations' cyber operations, the US and Western countries are at a disadvantage. While the lion's share of cyberattacks are criminal in nature, the targeting of intellectual property is eroding — and in some areas, has already eroded — the United States' technological lead. The resemblance between China's advanced fighter aircraft and the US F-35 stealth fighter underscores that China is building much of its global power on technology from the US and other countries, said US Senator Angus King Jr. (I-ME), in a keynote for the virtual panel 'Stopping IP Theft by China' hosted by the MITRE Corp.
"The magnitude of intellectual property theft over the past decade has been staggering, into the billions, probably the trillions," said the senator, who co-chaired the Cyberspace Solarium Commission, a bipartisan effort to create policy recommendations for cyberspace. "And it has, I believe, powered the rise of the Chinese technology sector. [For the US,] it is not only a financial question, but a national security question, with this stealing of national security information and intellectual property that is very important to maintaining a qualitative edge for our national defense."
The Jan. 28 virtual roundtable focused on strategies for dealing with Chinese theft of intellectual property, with participants agreeing that the problem represented a fundamental threat to the US economy and its role in the world, and that a multi-pronged effort would be needed to dissuade Chinese cyber operations.
Unfortunately, the nation-state attackers have the advantage, said Lora Randolph, senior principal engineer at MITRE.
"This is an asymmetric game," she said. "The defender has to plug every possible hole, and the adversary only has to find one way in, so we are really at a disadvantage. So the goal is to really change that dynamic."
The basis for any strategy is to focus on three fundamental goals, Randolph said: Making attacks more costly for the attacker, diminishing the value of attacks, and allowing both government and private-sector organizations to benefit.
"Our goal here is to require the Chinese government to work harder and longer to achieve their objective," she said. "And this starts with really understanding the adversary's behavior."
Starting in 2014, with the indictment of five members of the Chinese military for stealing trade secrets, the US Department of Justice has occasionally filed charges against individuals identified in intellectual property theft. The goal is to deter the individuals, vindicate the victim's interest, and create an unclassified, public record so that other agencies and international allies can take action, said panel participant Adam Hickey, deputy assistant attorney general at the US Department of Justice.
Hickey admitted that criminal prosecutions alone will not likely make a difference. The DoJ also has focused on punishing those who have benefited from stolen intellectual property to reduce the demand for stolen technologies and trade secrets.
"The gold standard of what we are trying to do is target the beneficiaries of the theft of IP," he said. "We leverage a criminal prosecution and share information for other parts of the government, so beneficiaries of the theft don't enjoy the value of it or can't profit from it."
The US must also consider the differences in how cultures approach intellectual property, said Marcus Sachs, deputy director for research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.
The concept of putting boundaries around property is very different, and Americans tend to lose that perspective, he said.
"In a globally competitive world, we have to agree to some norms of behavior, and whether that norm is an Eastern norm or a Western norm is up for debate," Sachs said. "We need to think about how we define intellectual property, just as China has to think about how they define intellectual property."
From a governmental perspective, the Trump administration implemented many of the recommendations of the Cyberspace Solarium Commission, and the Biden administration has started implementing many more, such as creating a single office for cybersecurity policy, said Senator King.
A lot still has to be done. Structure is policy, and for cyber, the United States' messy structure has led to a messy policy, he said.
"One of the problems is that cyber, and the responsibility for cyber, is spread all over the US government," Senator King said. "It's all over the place — we have excellent silos, but they are still silos."