4 ways Obama should work with US business to combat China’s cyberspying

The threat of Chinese cyberspying to US businesses is very serious. A report released May 22 by the Commission on the Theft of American Intellectual Property states that: “China is two-thirds of the intellectual property theft problem, and we are at a point where it is robbing us of innovation to bolster their own industry, at a cost of millions of jobs.”

If the US wishes to stop this Chinese economic cyber-espionage, it will need to increase the costs and reduce the benefits to China of such activities. That will cause China and other competitors to rethink whether cyberspying on businesses is worth it. Government actions are important, but the key players in this game sit in the private sector. A true public-private partnership is needed.

Here are four ways President Obama should work with US business to combat Chinese cyberspying.

1.Threaten retaliatory actions

Delegates from China and US chat before the opening ceremony of the 6th US-China Internet Industry Forum in Beijing, April 9. (Jason Lee/Reuters)

The US government can threaten retaliatory actions – be they economic, diplomatic, legal, or technical in nature. For example, the US could impose economic sanctions or deny visas to suspected cyberspies and/or their enablers.

There are certainly benefits to pursuing these ideas, but US options will be limited because of the trade-offs involved in increasing tensions with its largest trading partner. If China truly views economic espionage as a national security matter, it will strongly resist efforts to curtail such activity, especially if it views the US position as being hypocritical. The US may thus risk retaliatory actions on American companies or citizens if it pushes too hard on this issue.

Irving Lachow is a senior fellow and director of the Technology and National Security Program at the Center for a New American Security.

Provide companies with actionable intelligence

The US government must provide companies with intelligence to protect their networks. The Cyber Executive Order – a policy document issued by the White House in February – declared that the federal government will make such information increasingly available to critical infrastructures like power plants and major financial institutions.

However, much of the cyber-espionage occurring today targets organizations, including professional services firms and innovative start-ups, that do not fall under the Cyber Executive Order’s provision. The US Department of Homeland Security needs to use its authority to incentivize and enable the creation of trusted federations of companies, like the Advanced Cyber Security Center in Massachusetts, that share cyberthreat information and best practices for cyberprotection. By sharing what they know, companies can shed light on the tactics that the Chinese are using – to the benefit of all.

Incentivize companies to improve their cybersecurity

 

Numerous studies have shown that most companies fail to effectively implement even the most basic cybersecurity controls such as patching known vulnerabilities and limiting the number of users with administrative privileges. Such controls will not stop advanced attacks, but they can make cyberspies work harder. And by stopping lower-level attacks with these controls, they can free up corporate resources to address more sophisticated attacks.

In addition, information sharing will provide little benefit unless companies have the people and processes to use that information effectively. Financial incentives, such as tax breaks and fines, may be the best tools for changing corporate decisionmaking on this issue, but all options should be explored.

Clarify the legal framework

The US government needs to delineate what kinds of “active defenses” are permissible under different circumstances. In particular, the Computer Fraud and Abuse Act needs to be updated to better reflect the circumstances that companies face today. For example, it may be necessary to clarify what actions companies can take to track the theft of their intellectual property outside of corporate networks.