If the U.S. wishes to stop this Chinese economic cyber-espionage, a
true public-private partnership is needed. Here are four ways
President Obama should work with U.S. business to combat Chinese
By Irving Lachow
The threat of Chinese cyberspying to U.S. businesses is very serious.
A report released May 22 by the Commission on the Theft of American
Intellectual Property states that: “China is two-thirds of the
intellectual property theft problem, and we are at a point where it is
robbing us of innovation to bolster their own industry, at a cost of
millions of jobs.”
If the U.S. wishes to stop this Chinese economic cyber-espionage, it
will need to increase the costs and reduce the benefits to China of
such activities. That will cause China and other competitors to
rethink whether cyberspying on businesses is worth it. Government
actions are important, but the key players in this game sit in the
private sector. A true public-private partnership is needed.
1. Threaten retaliatory actions
The U.S. government can threaten retaliatory actions — be they
economic, diplomatic, legal, or technical in nature. For example, the
U.S. could impose economic sanctions or deny visas to suspected
cyberspies and/or their enablers.
There are certainly benefits to pursuing these ideas, but U.S. options
will be limited because of the trade-offs involved in increasing
tensions with its largest trading partner. If China truly views
economic espionage as a national security matter, it will strongly
resist efforts to curtail such activity, especially if it views the US
position as being hypocritical. The US may thus risk retaliatory
actions on American companies or citizens if it pushes too hard on
2. Provide companies with actionable intelligence
The US government must provide companies with intelligence to protect
their networks. The Cyber Executive Order — a policy document issued
by the White House in February — declared that the federal government
will make such information increasingly available to critical
infrastructures like power plants and major financial institutions.
However, much of the cyber-espionage occurring today targets
organizations, including professional services firms and innovative
start-ups, that do not fall under the Cyber Executive Order’s
provision. The US Department of Homeland Security needs to use its
authority to incentivize and enable the creation of trusted
federations of companies, like the Advanced Cyber Security Center in
Massachusetts, that share cyberthreat information and best practices
for cyberprotection. By sharing what they know, companies can shed
light on the tactics that the Chinese are using — to the benefit of
3. Incentivize companies to improve their cybersecurity
Numerous studies have shown that most companies fail to effectively
implement even the most basic cybersecurity controls such as patching
known vulnerabilities and limiting the number of users with
administrative privileges. Such controls will not stop advanced
attacks, but they can make cyberspies work harder. And by stopping
lower-level attacks with these controls, they can free up corporate
resources to address more sophisticated attacks.
In addition, information sharing will provide little benefit unless
companies have the people and processes to use that information
effectively. Financial incentives, such as tax breaks and fines, may
be the best tools for changing corporate decisionmaking on this issue,
but all options should be explored.
4. Clarify the legal framework
The US government needs to delineate what kinds of “active defenses”
are permissible under different circumstances. In particular, the
Computer Fraud and Abuse Act needs to be updated to better reflect the
circumstances that companies face today. For example, it may be
necessary to clarify what actions companies can take to track the
theft of their intellectual property outside of corporate networks.
Irving Lachow is a senior fellow. director of Technology and National
Security Program at the Center for a New American Security.