There is evidence that the U.S. government is becoming more aggressive in pursuing economic espionage cases. The Wall Street Journal reported in 2013 that the Justice Department had pursued at least 19 cases of corporate espionage since 2009 – most of the defendants were Chinese, but were working for U.S. corporations.
And a bill pending in Congress, with bipartisan support, would improve the legal leverage companies have regarding their trade secrets. It would allow a company to bring a civil action against a perpetrator in federal court, and also provide for “ex parte” seizure of trade secrets before they can be disseminated.
“It lets you preserve the evidence before they know they’ve been sued,” Halligan said. “Otherwise, they can just press a key on their computer and send it to another part of the world.”
But Halligan said American companies cannot rely on government for protection, and need to do a much better job themselves of securing their assets.
One problem with relying on government is political – China is perceived as such a major market for U.S. corporations that neither government nor private-sector officials want to jeopardize that relationship. While U.S. officials issued "stern admonitions" to China about economic espionage in advance of the U.S.-China Strategic and Economic Dialogue in June (annual Cabinet-level talks on strategic and economic issues), the Heritage Foundation’s Cheng said that reporting on the talks indicated that, “more time was spent discussing global warming than cyber security concerns.”
Elizabeth Bancroft, executive director of AFIO, said in a discussion with a number of her colleagues at the organization that the consensus was the U.S. should not be fearful of getting tough with China on economic espionage.
“China's espionage is impacting, or could impact, its role in this partnership, and they may well lose more than they gain,” she said. “All of this is a bit of a poker game, and that's what statecraft is about.”
But she added that her colleagues agree that, “right now we do little, and it has left China convinced, in that case, that brazen thefts are a low risk, high payoff gambit for gaining economic advantage.”
Another major problem is that the reach of U.S. law enforcement does not extend into China. Security vendor Mandiant (now a part of FireEye) issued a report in 2013 on a military hacking unit in China that it called APT1, also known as Unit 61398 of the People’s Liberation Army.
[ ALSO ON CSO: Beware of hot foreign spies who want to steal your data ]
That unit allegedly hacked into the networks of American companies including U.S. Steel, Alcoa, Allegheny Technologies (ATI) and Westinghouse, plus United Steelworkers, the biggest industrial labor union in North America. Five of its members are now on the FBI’s Most Wanted list, but there is essentially no chance that any of them will ever be arrested, since China and the U.S. do not have extradition agreements.
But the security mindset of American companies also leaves them vulnerable. John Quinn, a former Far East specialist with the CIA, notes that Chinese culture and thinking goes back thousands of years, while the U.S. is less than 300 years old. “It is worthwhile to remember that the Chinese have centuries of espionage experience dating back to Sun Tzu and ‘The Art of War’, he said.
Also, according to a report in the July-August edition of MIT Technology review, “the failure of the (hacked) companies’ supposed security technologies was stupefying.”
Indeed, there are multiple examples of the Chinese easily gaining long-term access to corporate networks.
Nortel Networks, which had been one of the telecom giants, had reportedly been penetrated by Chinese hackers for as long as a decade before it filed for bankruptcy in 2009. The hack began with the theft of seven passwords from top executives, including the CEO.
Porous security is not the only problem either, Halligan said. “The real problem lies in U.S. companies not conducting internal trade secret audits,” he said. “Everybody starts with security, but you should really start by identifying assets and classifying them. Policies don’t matter if you don’t now what you’re protecting.”
He said while there are U.S. laws protecting patents, copyrights and trademarks, “we don’t have a registration system for trade secrets, so you have to set it up internally. Too many U.S. companies don’t want to do that, so they’re fleeced and don’t know they’ve been fleeced.”
The FBI warns companies not to think that just because they are small to mid-sized, they are not on the radar for economic espionage.
The telecom executive agrees with that. “Most companies think they aren’t big enough to interest the Chinese,” he said. “But if you are part of the supply chain, you’re on the scope – they are a full-spectrum adversary.”
What should organizations do? The FBI, as part of its economic espionage awareness campaign, offers a list of recommendations protecting IP assets. And Quinn said U.S. firms should follow the five steps of Operations Security (see sidebar).
But Halligan said he believes organizations can get 80 percent worth of protection by doing just two things.
“Only those with need to know should have access to assets,” he said. “That’s something that should be easy to implement. And then, break up the pieces of the puzzle, so if someone absconds with one piece, they can’t get the whole trade secret.”
He and others, including Quinn, say the economic espionage threat will only get worse. “Foreign adversaries will continue to refine their espionage tradecraft and clandestine recruitment methods,” Quinn said. “The Chinese should be considered formidable adversaries.”
Bancroft said her colleagues agree with that. She said the U.S. can bring economic pressure on China, by not buying stolen goods or products made with stolen property. “China needs to accept that there are easier ways to get such property through manufacturing arrangements.
“Right now we’re tolerating increasing bad behavior,” she said. “What we need is a clear, unwavering, strong counterintelligence strategy that influences China to act responsibly. It is not a technical problem requiring a technical answer; it is a policy question requiring a statecraft response.”