Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Foreign Economic Cyber-Espionage (Part 3)

Posted in Data Breach, Data Security

This final blog entry in the series about economic cyber-espionage focuses on what, if anything, the government can do and is doing to limit cyber attacks that result in the theft of billions dollars worth of intellectual property and confidential proprietary information.

The issue of cyber-espionage is receiving attention from the highest levels of government.  For example, the report that was the basis for this series was prepared by the Office of the National Counterintelligence Executive, which is part of the Office of the Director of National Intelligence.  It is staffed by senior counterintelligence and other specialists from across the national intelligence and security communities.  The Intelligence Authorization Act for Fiscal Year 1995 requires that the President biennially submit to Congress updated information on the threat to U.S. industry from foreign economic collection and industrial espionage.  This report was submitted to Congress pursuant to that obligation.

The issue is gaining significant attention in the U.S. media, for legitimate reasons.  Loren Thompson, a contributor for Forbes magazine recently authored an article entitled “U.S. headed for Cyberwar Showdown with China in 2012.”   In it, Mr. Thompson points out that even though cyber-espionage is “being executed by a relatively small number of agents linked to the general staff of China’s People’s Liberation Army, the damage they are inflicting on U.S. security and economic competitiveness is judged to be extensive.”  But as Thompson points out, the question is what, if anything, can be done about it.

Part of the problem appears to be identifying precisely who is engaging in these cyber attacks.  According to a report by Siobhan Gorman in the Wall Street Journal the Obama Administration has had some success in identifying some of the key operatives in the Chinese cyber campaign (though the Chinese claim that such allegations are “totally ungrounded” and that Chinese law “clearly prohibits hacking”).  I highly recommend the article to anyone interested in a deeper investigation into allegations of Chinese cyber-espionage.

Yet, Mr. Thompson with Forbes posits, the administration has taken little offensive action against China because “it doubts confrontational tactics will produce positive results.” But given the billions dollars in economic information being lost to the Chinese intrusions and the possibility of far worse attacks, it is far more likely that the administration will be forced to be more openly aggressive.

In addition to the issue increasingly gaining the attention of the executive branch, Congress is considering competing legislation that would seek to limit the risk or cyber attacks.  The Cybersecurity Act of 2012 (S.2105), introduced by Senators Lieberman and Rockefeller, would give the Department of Homeland Security regulatory authority over companies with computer systems crucial to the nation’s economic and physical security.  Republicans have proposed alternative legislation called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (“SECURE IT”).  Crudely defined, the Republican alternative relies on companies voluntarily sharing threat data through certain cybersecurity centers.  In exchange, companies would receive incentives, such as protection from civil lawsuits and exemption from public disclosure.  It is unclear whether Congress will ultimately pass either piece of legislation.

UPDATE:  60-Minutes recently aired a very interesting story on the Stuxnet virus, which is a virus believed to have been used offensively to attack Iranian nuclear plants.  The piece is particularly relevant to this series of blog entries because it discusses the increased trend in international espionage through cyber attacks.  I highly recommend the story to those of you interested in this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.