Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

US Needs Comprehensive Policy to Combat China on IP Theft

The United States cannot lose sight of Chinese cyber operations that target intellectual property, a panel of experts says.

The United States needs a more systematic approach to engage with China on cybersecurity and intellectual property issues, and to address the ongoing theft of industrial and defensive technologies via cyberattacks, a panel of policy and technology experts stated last week.

Without good options to respond to other nations' cyber operations, the US and Western countries are at a disadvantage. While the lion's share of cyberattacks are criminal in nature, the targeting of intellectual property is eroding — and in some areas, has already eroded — the United States' technological lead. The resemblance between China's advanced fighter aircraft and the US F-35 stealth fighter underscores that China is building much of its global power on technology from the US and other countries, said US Senator Angus King Jr. (I-ME), in a keynote for the virtual panel 'Stopping IP Theft by China' hosted by the MITRE Corp.

Related Content:

'The New Normal': US Charges Chinese Military Officers With Cyber Espionage

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

"The magnitude of intellectual property theft over the past decade has been staggering, into the billions, probably the trillions," said the senator, who co-chaired the Cyberspace Solarium Commission, a bipartisan effort to create policy recommendations for cyberspace. "And it has, I believe, powered the rise of the Chinese technology sector. [For the US,] it is not only a financial question, but a national security question, with this stealing of national security information and intellectual property that is very important to maintaining a qualitative edge for our national defense."

The Jan. 28 virtual roundtable focused on strategies for dealing with Chinese theft of intellectual property, with participants agreeing that the problem represented a fundamental threat to the US economy and its role in the world, and that a multi-pronged effort would be needed to dissuade Chinese cyber operations.

Unfortunately, the nation-state attackers have the advantage, said Lora Randolph, senior principal engineer at MITRE.

"This is an asymmetric game," she said. "The defender has to plug every possible hole, and the adversary only has to find one way in, so we are really at a disadvantage. So the goal is to really change that dynamic."

The basis for any strategy is to focus on three fundamental goals, Randolph said: Making attacks more costly for the attacker, diminishing the value of attacks, and allowing both government and private-sector organizations to benefit. 

"Our goal here is to require the Chinese government to work harder and longer to achieve their objective," she said. "And this starts with really understanding the adversary's behavior."

Starting in 2014, with the indictment of five members of the Chinese military for stealing trade secrets, the US Department of Justice has occasionally filed charges against individuals identified in intellectual property theft. The goal is to deter the individuals, vindicate the victim's interest, and create an unclassified, public record so that other agencies and international allies can take action, said panel participant Adam Hickey, deputy assistant attorney general at the US Department of Justice.

Hickey admitted that criminal prosecutions alone will not likely make a difference. The DoJ also has focused on punishing those who have benefited from stolen intellectual property to reduce the demand for stolen technologies and trade secrets.

"The gold standard of what we are trying to do is target the beneficiaries of the theft of IP," he said. "We leverage a criminal prosecution and share information for other parts of the government, so beneficiaries of the theft don't enjoy the value of it or can't profit from it."

The US must also consider the differences in how cultures approach intellectual property, said Marcus Sachs, deputy director for research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.

The concept of putting boundaries around property is very different, and Americans tend to lose that perspective, he said.

"In a globally competitive world, we have to agree to some norms of behavior, and whether that norm is an Eastern norm or a Western norm is up for debate," Sachs said. "We need to think about how we define intellectual property, just as China has to think about how they define intellectual property."

From a governmental perspective, the Trump administration implemented many of the recommendations of the Cyberspace Solarium Commission, and the Biden administration has started implementing many more, such as creating a single office for cybersecurity policy, said Senator King. 

A lot still has to be done. Structure is policy, and for cyber, the United States' messy structure has led to a messy policy, he said.

"One of the problems is that cyber, and the responsibility for cyber, is spread all over the US government," Senator King said. "It's all over the place — we have excellent silos, but they are still silos."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.