1.Threaten retaliatory actions
The US government can threaten retaliatory actions – be they economic, diplomatic, legal, or technical in nature. For example, the US could impose economic sanctions or deny visas to suspected cyberspies and/or their enablers.
There are certainly benefits to pursuing these ideas, but US options will be limited because of the trade-offs involved in increasing tensions with its largest trading partner. If China truly views economic espionage as a national security matter, it will strongly resist efforts to curtail such activity, especially if it views the US position as being hypocritical. The US may thus risk retaliatory actions on American companies or citizens if it pushes too hard on this issue.
Irving Lachow is a senior fellow and director of the Technology and National Security Program at the Center for a New American Security.
Provide companies with actionable intelligence
The US government must provide companies with intelligence to protect their networks. The Cyber Executive Order – a policy document issued by the White House in February – declared that the federal government will make such information increasingly available to critical infrastructures like power plants and major financial institutions.
However, much of the cyber-espionage occurring today targets organizations, including professional services firms and innovative start-ups, that do not fall under the Cyber Executive Order’s provision. The US Department of Homeland Security needs to use its authority to incentivize and enable the creation of trusted federations of companies, like the Advanced Cyber Security Center in Massachusetts, that share cyberthreat information and best practices for cyberprotection. By sharing what they know, companies can shed light on the tactics that the Chinese are using – to the benefit of all.
Incentivize companies to improve their cybersecurity
Numerous studies have shown that most companies fail to effectively implement even the most basic cybersecurity controls such as patching known vulnerabilities and limiting the number of users with administrative privileges. Such controls will not stop advanced attacks, but they can make cyberspies work harder. And by stopping lower-level attacks with these controls, they can free up corporate resources to address more sophisticated attacks.
In addition, information sharing will provide little benefit unless companies have the people and processes to use that information effectively. Financial incentives, such as tax breaks and fines, may be the best tools for changing corporate decisionmaking on this issue, but all options should be explored.
Clarify the legal framework
The US government needs to delineate what kinds of “active defenses” are permissible under different circumstances. In particular, the Computer Fraud and Abuse Act needs to be updated to better reflect the circumstances that companies face today. For example, it may be necessary to clarify what actions companies can take to track the theft of their intellectual property outside of corporate networks.