On February 20, 2013, just one week after the Obama Administration issued an Executive Order on “Improving Critical Infrastructure Cybersecurity,” it released its “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.” The Strategy states that the Obama Administration will take steps to make sure that our trading partners treat trade secret theft as a serious issue. The facts and conclusions stated in the attachments to the Strategy, however, reveal a fundamental weakness in the Strategy.
Another attachment is the National Counter-Intelligence Executive’s Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-11, which is titled “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace.” The Executive Summary of that Report states: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage. U.S. private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the [Intelligence Community] cannot confirm who was responsible.” In a report issued on February 18, 2013, the cybersecurity firm Mandiant Corp. stated that most of those network intrusions could be traced back to a Shanghai hacking group sponsored by the People’s Liberation Army of China.
The final attachment to the White House Strategy is a Report by the Defense Security Service titled “Targeting U.S. Technologies – A Trend Analysis of Reporting from the Defense Industry, 2012.” It reports that in 2011 43% of the foreign attempts to obtain illegal or unauthorized access to sensitive or classified information in the U.S. originated from East Asia and the Pacific – primarily China.
Despite attaching all of this data to its Strategy, the Obama Administration never mentions China in its Strategy. The Strategy states five Strategy Action Items, but it contains no application of any of them specifically to the threat from China. Even taking into account a strategic interest in not disclosing all of the Obama Administration’s intentions, this is a major flaw in the Strategy.
The first Strategy Action Item is to focus diplomatic efforts to protect trade secrets overseas. A key phrase in this section of the Strategy is “where there are regular incidents of trade secret theft.” For example, the Strategy states that the Administration will apply “sustained and coordinated diplomatic pressure” on other governments to discourage trade secret theft “by utilizing a whole of government approach directed at a sustained and coordinated message from all appropriate agencies to foreign governments where there are regular incidents of trade secret theft.” Moreover, the Plan states that to assist in this effort “the Department of State will track scheduled diplomatic engagements and meetings by senior Administration officials with governments of countries where there are regular incidents of trade secret theft or that may be complicit in trade secret theft.”
In recent years, as shown by the attachments to the White House’s Strategy, no country has been a greater source of threats to American trade secrets than China. An open question, however, is the extent to which the Obama Administration is prepared to apply diplomatic pressure to China – the country which, at present, is the greatest source of the trade secret threats. When the Obama Administration released a few weeks ago a list of computer addresses linked to the theft of terabytes of data from American corporations, it omitted the fact that almost all of the addresses could be traced to a Shanghai neighborhood that is the home of the Chinese military’s cyber command. When Mandiant Corp. released its report tracing 141 incidents of cyber espionage to the same location, Administration officials said privately they had no problem with Mandiant Corp.’s conclusions but they would not say so on the record. One intelligence official is reported to have said: “We were told that directly embarrassing the Chinese would backfire. It would only make them more defensive, and more nationalistic.”
As part of its Strategy, the Obama Administration does commit to use trade policy tools to increase international enforcement against trade secret theft, including “targeting weaknesses in trade secret protection through enhanced use of the Annual 301 process.” When countries are placed on the priority watch list in annual reports of the U.S. Trade Representative, they receive “increased bilateral attention.” The failure of previous attempts by the American Government to persuade the Chinese Government to crack down on piracy, however, does not breed confidence. More significantly, the Chinese Government denies it engages in or condones any cyber espionage. If the Obama Administration believes that directly accusing the Chinese of cyber espionage and theft of trade secrets will only make them more defensive and nationalistic, it does not seem likely that diplomacy will solve or even mitigate the threat.
The second Strategy Action Item is to promote voluntary practices by private industry to protect trade secrets. “The Administration will encourage companies and industry associations to develop and adopt voluntary best practices, consistent with anti-trust laws, and help highlight those practices.”
Section 8 of the President’s Executive Order directs the Secretary of Homeland Security to establish a “voluntary program” to support the adoption of a Cybersecurity Framework by owners and operators of “Critical Infrastructure.” In particular, Section 8(d) directs the Secretary to “coordinate the establishment of a set of incentives designed to promote participation in the program.”
If the Administration is to obtain substantive input from the owners and operators of “Critical Infrastructure,” and if the Administration hopes to induce the private sector to participate in any kind of standard-setting for the protection of trade secrets, it will have to address the private sector’s legitimate concerns, including concerns about the confidentiality of security information that is shared with the Government and others, potential antitrust and securities liabilities, potential tort liability for failure to meet standards and privacy concerns. This will require legislation, which the Administration has not yet been able to get through Congress.
Moreover, the Strategy recognizes that “[i]dentified best practices may not be suitable for every company or organization.” Therefore, the Strategy concedes that any guidelines are intended solely to offer “suggestions” to assist companies in safeguarding information. “Suggestions” do not constitute an effective strategy for combating sophisticated advanced persistent threats from an adversary as determined to advance itself and its country’s state-owned enterprises as the PLA.
No comments:
Post a Comment