How Obama should work with business to combat China cyberspying

If the US wishes to stop Chinese economic cyber-espionage, it will need to increase the costs and reduce the benefits to China of such activities. US government actions are important, but the key players in this game sit in the private sector. A true public-private partnership is needed.

|
Jason Lee/Reuters
US Ambassador to China Gary Locke speaks at the 6th US-China Internet Industry Forum in Beijing April 9. Op-ed contributor Irving Lachow writes: 'All nations spy on each other, but right now, the United States and China are playing the spy-vs.-spy game using different sets of rules. If the US wants China to change its behavior, it will need to change the payoff that China gets from playing the game its way.'

The United States has made it clear to China that its cyber-espionage activities are a serious concern.

The Washington Post reported this week that several US military weapons systems and technologies have been compromised by Chinese hackers, according to the Defense Science Board. As alarming as that news is, China’s cyber-spying attacks are also bombarding US businesses.

If the US wishes to stop this Chinese economic cyber-espionage, it will need to increase the costs and reduce the benefits of such activities. That will cause China and other competitors to rethink whether such activities are worth it. Government actions are important, but the key players in this game sit in the private sector. A true public-private partnership is needed.

The threat of Chinese cyberspying to US businesses is clear. A report released last week by the Commission on the Theft of American Intellectual Property states that: “China is two-thirds of the intellectual property theft problem, and we are at a point where it is robbing us of innovation to bolster their own industry, at a cost of millions of jobs.”

What makes the US-China dispute unique is that the two countries are playing a game – spy vs. spy – that is accepted in international relations, but they are playing it by different rules.

The US government views espionage as a national security activity, not as a tool for furthering the economic well-being of US companies. In contrast, China views the well-being of its companies as being directly tied to the security interests of the nation. In their minds, drawing a line between espionage focused on stealing state secrets and espionage focused on stealing corporate secrets is arbitrary.

China is not the only country that has such views. However, the scale and scope of Chinese activity is unparalleled, and the potential threat it poses to US competitiveness is certainly raising the eyebrows, if the not hackles, of the nation’s highest leaders.

Because of this fundamental difference in the acceptability of state-sponsored cyber-economic espionage, the United States will be hard pressed to stop such activities with words alone. The US will need to raise the costs and lower the benefits of such activities. There are several policy levers that the US government can use to achieve those goals, though changing China’s fundamental views through government actions alone will be difficult.

For example, the US government can threaten retaliatory actions, be they economic, diplomatic, legal, or technical in nature. For example, the US could impose economic sanctions or deny visas to suspected cyberspies and/or their enablers.

There are certainly benefits to pursuing these ideas, but US options will be limited because of the trade-offs involved in increasing tensions with its largest trading partner. If China truly views economic espionage as a national security matter, if will strongly resist efforts to curtail such activity, especially if it views the US position as being hypocritical. The US may thus risk retaliatory actions on American companies or citizens if it pushes too hard on this issue.

A more powerful option is for the US government to help industry lower the value that China gains from its activities. This can be done in three ways.

First, the US government must provide companies with actionable intelligence that they can use to protect their networks. The Cyber Executive Order – a policy document issued by the White House in February – declared that the federal government will make such information increasingly available to critical infrastructures like power plants and major financial institutions.

However, much of the cyber-espionage occurring today targets organizations, including professional services firms and innovative start-ups, that do not fall under the Cyber Executive Order’s provision. The US Department of Homeland Security needs to use its authority to incentivize and enable the creation of trusted federations of companies, like the Advanced Cyber Security Center in Massachusetts, that share cyberthreat information and best practices for cyberprotection.

By sharing what they know, companies can shed light on the tactics that the Chinese are using – to the benefit of all.

Second, government agencies must incentivize companies to take actions that improve their cybersecurity. Numerous studies have shown that most companies fail to effectively implement even the most basic cybersecurity controls such as patching known vulnerabilities and limiting the number of users with administrative privileges. Such controls will not stop advanced attacks, but they can make cyberspies work harder. And by stopping lower-level attacks with these controls, they can free up corporate resources to address more sophisticated attacks.

In addition, information sharing will provide little benefit unless companies have the people and processes to use that information effectively. Financial incentives, such as tax breaks and fines, may be the best tools for changing corporate decisionmaking on this issue, but all options should be explored.

Finally, the US government needs to clarify the legal framework that delineates what kinds of “active defenses” are permissible under different circumstances. In particular, the Computer Fraud and Abuse Act needs to be updated to better reflect the circumstances that companies face today. For example, it may be necessary to clarify what actions companies can take to track the theft of their intellectual property outside of corporate networks.

All nations spy on each other, but right now, the United States and China are playing the spy-vs.-spy game using different sets of rules. If the US wants China to change its behavior, it will need to change the payoff that China gets from playing the game its way.  

Irving Lachow is a senior fellow and director of the Technology and National Security Program at the Center for a New American Security.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How Obama should work with business to combat China cyberspying
Read this article in
https://www.csmonitor.com/Commentary/Opinion/2013/0529/How-Obama-should-work-with-business-to-combat-China-cyberspying
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe