Shaming China to Stop Hacks Doesn't WorkCommission Also Warns of Chinese Threat from the Cloud
Attempts to shame China haven't been effective in stopping that country from pilfering intellectual property from the computers of American companies, a new report to Congress says.
See Also: 2016 State of Threat Intelligence Study
The report from the U.S.-China Economic Review Commission, issued Nov. 20, points out that China hasn't changed its behavior despite widely covered reports this past year from security firm Mandiant and the Defense Department about the Chinese targeting American companies and military contractors over the Internet to steal intellectual property and trade secrets (see 6 Types of Data Chinese Hackers Pilfer and DoD Outlines China's Spying on U.S. IT).
"It is clear naming and attempting to shame will not be sufficient to deter entities in China from emerging in cyber-espionage against U.S. companies," the report says.
The commission says mitigating the problem will require a multifaceted approach, including linking economic cyber-espionage to trade restrictions, prohibiting Chinese firms using stolen U.S. intellectual property from accessing U.S. banks and banning U.S. travel for Chinese organizations that are involved with cyber-espionage. "To date," the report says, "Washington has not implemented a comprehensive framework for addressing China ongoing cyber-espionage."
Despite the reluctance of the Chinese to stop e-spying on American companies, President Obama's national security adviser, Susan Rice, encourages China to do just that for their own good.
"Cyber-enabled economic espionage hurts China as well as the U.S. because American businesses are increasingly concerned about the costs of doing business in China," Rice said in remarks delivered Nov. 20 at Georgetown University. "If meaningful action is not taken now, this behavior will undermine the economic relationship that benefits both our nations."
Threat From the Cloud
The commission also says China's cyberthreat also could come from the cloud. A Chinese company is building that nation's largest cloud computing center in Chongqing, a city of nearly 30 million. "The relationship between China's Ministry of State Security and the Chongqing Special Cloud Computing Zone represents a potential espionage threat to foreign companies that might use cloud computing services provided from the zone or base operations there," the report says.
In addition, the report says, a plan to link China's largest carrier-neutral Internet data center services provider, 21Viant, to Microsoft data centers in other countries suggests the Chinese government could eventually gain access to data centers outside China.
The U.S.-China Economic Review Commission reports annually to Congress on the national security implications of the bilateral trade and economic relationship between the United States and China. The report does not delve into actions of American intelligence agencies that target China.
Recent revelations from top secret documents leaked by former National Security Agency contractor Edward Snowden show how the United States has targeted other nations over the Internet and other communications networks. Those reports have increased China's distrust of the United States.
Bilateral Approach to Halt Hacking
"Both countries are incredibly, pervasively dependent on each other and, in this context, we don't trust each other," Karl Rauscher, a distinguished fellow and chief technology officer of the EastWest Institute, a global think tank, says in an interview with Information Security Media Group.
In a report he co-authored for the EastWest Institute, Rauscher characterizing the back-and-forth hacking as posing a serious challenge for the future prosperity of China and United States. "They are so close in their integrated reliance on each other, that each can easily do harm to the other - devastating harm," writes Rauscher and his co-author, Zhou Yonglin of China's computer emergency response team. "Unfortunately, in the past years, China and the U.S. have seen the trust in their relationship suffer. The current situation is thus one of growing instability for China and the U.S. with regard to cybersecurity."
The EastWest Institute report, Frank Communications and Sensible Cooperation to Stem Harmful Hacking, offers nine recommendations to get both nations to cooperate to curtail hacking.
What Should Congress Do?
The U.S.-China Economic Review Commission suggests Congress should:
- Adopt legislation clarifying the actions companies are permitted to take regarding tracking intellectual property stolen through cyber-intrusions;
- Amend the Economic Espionage Act to permit companies to sue foreigners when trade secrets are stolen;
- Support the administration's efforts to achieve a high standard of protection of intellectual property rights in the Trans-Pacific Partnership and the Transatlantic Trade and Investment Partnership;
- Encourage the administration to partner with other nations to establish an international list of individuals, groups and organizations engaged in commercial cyber-espionage;
- Urge the administration to continue to enhance its sharing of information about cyberthreats with the private sector, particularly small- and mid-size businesses;
- Direct the administration to prepare an inventory of federal use of cloud computing platforms and services and determine where the data storage and computing services are geographically located; and
- Urge the administration to expedite progress in its implementations of the National Defense Authorization Act of 2011, which was intended to enhance the Defense Department's ability to address supply chain risks.