Published by Al Saikali

March 2012

This final blog entry in the series about economic cyber-espionage focuses on what, if anything, the government can do and is doing to limit cyber attacks that result in the theft of billions dollars worth of intellectual property and confidential proprietary information.

The issue of cyber-espionage is receiving attention from the highest levels of government.  For example, the report that was the basis for this series was prepared by the Office of the National Counterintelligence Executive, which is part of the Office of the Director of National Intelligence.  It is staffed by senior counterintelligence and other specialists from across the national intelligence and security communities.  The Intelligence Authorization Act for Fiscal Year 1995 requires that the President biennially submit to Congress updated information on the threat to U.S. industry from foreign economic collection and industrial espionage.  This report was submitted to Congress pursuant to that obligation.

The issue is gaining significant attention in the U.S. media, for legitimate reasons.  Loren Thompson, a contributor for Forbes magazine recently authored an article entitled “U.S. headed for Cyberwar Showdown with China in 2012.”   In it, Mr. Thompson points out that even though cyber-espionage is “being executed by a relatively small number of agents linked to the general staff of China’s People’s Liberation Army, the damage they are inflicting on U.S. security and economic competitiveness is judged to be extensive.”  But as Thompson points out, the question is what, if anything, can be done about it.

Part of the problem appears to be identifying precisely who is engaging in these cyber attacks.  According to a report by Siobhan Gorman in the Wall Street Journal the Obama Administration has had some success in identifying some of the key operatives in the Chinese cyber campaign (though the Chinese claim that such allegations are “totally ungrounded” and that Chinese law “clearly prohibits hacking”).  I highly recommend the article to anyone interested in a deeper investigation into allegations of Chinese cyber-espionage.

Yet, Mr. Thompson with Forbes posits, the administration has taken little offensive action against China because “it doubts confrontational tactics will produce positive results.” But given the billions dollars in economic information being lost to the Chinese intrusions and the possibility of far worse attacks, it is far more likely that the administration will be forced to be more openly aggressive.

In addition to the issue increasingly gaining the attention of the executive branch, Congress is considering competing legislation that would seek to limit the risk or cyber attacks.  The Cybersecurity Act of 2012 (S.2105), introduced by Senators Lieberman and Rockefeller, would give the Department of Homeland Security regulatory authority over companies with computer systems crucial to the nation’s economic and physical security.  Republicans have proposed alternative legislation called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (“SECURE IT”).  Crudely defined, the Republican alternative relies on companies voluntarily sharing threat data through certain cybersecurity centers.  In exchange, companies would receive incentives, such as protection from civil lawsuits and exemption from public disclosure.  It is unclear whether Congress will ultimately pass either piece of legislation.

UPDATE:  60-Minutes recently aired a very interesting story on the Stuxnet virus, which is a virus believed to have been used offensively to attack Iranian nuclear plants.  The piece is particularly relevant to this series of blog entries because it discusses the increased trend in international espionage through cyber attacks.  I highly recommend the story to those of you interested in this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

This series of blog entries on foreign economic cyber-espionage arose from a recent government report detailing the source, extent, and threat of cyber-espionage to the U.S. economy.  This entry focuses on the cost of this espionage to the U.S. and global economy.

The National Counterintelligence Executive report finds that the threat of cyber-espionage applies to all U.S. economic activity and technology, but the greatest threats are to:

  • Information and communications technology, which forms the backbone of nearly every other technology.
  • Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with U.S. businesses or the U.S. Government.
  • Military technologies, particularly marine systems, unmanned aerial vehicles, and other aerospace/aeronautic technologies.
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and healthcare/pharmaceuticals.

With respect to the health care and pharmaceutical industry, the report specifically notes that, “The massive R&D costs for new products in these sectors—up to $1 billion for a single drug—the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable U.S. healthcare, pharmaceutical, and related information.”

Cyber-espionage has cost tens or hundreds of millions of dollars in potential profits to U.S. entities, but the report also identifies several factors that affect the cost of cyber-espionage:

  • Many victims of economic espionage are unaware of the crime until years after loss of the information.
  • Even when a company knows its sensitive information has been stolen by an insider or that its computer networks have been penetrated, it may choose not to report the event to the FBI or other law enforcement agencies. No legal requirement to report a loss of sensitive information or a remote computer intrusion exists, and announcing a security breach of this kind could tarnish a company’s reputation and endanger its relationships with investors, bankers, suppliers, customers, and other stakeholders.
  • A company also may not want to publicly accuse a corporate rival or foreign government of stealing its secrets out of fear of offending potential customers or business partners.
  • Finally, it is inherently difficult to assign an economic value to some types of information that are subject to theft. It would, for example, be nearly impossible to estimate the monetary value of talking points for a meeting between officials from a US company and foreign counterparts.

Nicole Perlroth, a reporter for the New York Times Bits column, writes regularly on data privacy and data security issues.  She recently reported on the issue of economic cost of economic cyber-espionage in greater depth.  In an article titled “How Much Have Foreign Hackers Stolen?” she points out that nobody really knows how much has been stolen and, predictably, companies are reluctant to discuss any security breaches they have suffered.  Her research, however, identified Congressional testimony by the Assistant Director of the U.S. Secret Service estimating that in 2010 “cyberthieves abroad stole 867 terabytes of data from the United states, or nearly four times the amount of data collected in the archives of the Library of Congress.”  That amount is now stolen on a daily basis, according to the former Director of National Intelligence.  Any computer system of consequence has been compromised by an advanced persistent threat.

The problem will only get worse as foreign technology improves, more data is moved into “the cloud”, and workers make it easier to steal trade secrets by carrying them around with them on their personal devices.  Ms. Perlroth wrote a separate article called “Traveling Light in a Time of Digital Thievery” that describes the extent to which companies are going to protect their data when their employees travel abroad.  Such measures include bringing loaner devices that are wiped clean before they leave the U.S. and immediately upon return to the U.S., disabling Bluetooth and Wi-Fi when overseas, and copying and pasting passwords from a separate USB thumb drive.  The article is well worth a read for anyone traveling overseas with a mobile device that is used to access corporate data in the United States.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

This blog entry begins a multi-part series on the rise of foreign economic cyber-espionage.  In October 2011, the U.S. Office of the National Counterintelligence Executive issued a report to Congress entitled “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace.”  The report was significant because it was one of the first formal documents in which the U.S. government took a clear position that elements in China and Russia are actively and intentionally stealing U.S. economic secrets through the use of cyber attacks.  The Chairman of the House Intelligence Committee told the New York Times that “[t]he biggest threat, when it comes to cyber-espionage today, is the sheer volume with which China seeks to steal our intellectual property for its own prosperity.”

The report details the “cyber collection” of information by foreign actors, which can take many forms, like simple visits to a U.S. company’s website for the collection of openly available information, a corporate insider’s downloading of proprietary information onto a thumb drive at the behest of a foreign rival, or intrusions launched by foreign intelligence services or other actors against the computer networks of a private company, federal agency, or an individual.

The report provides examples of how a massive number of computer network intrusions have been used to attack U.S. corporations, primarily in the health care, pharmaceutical, and defense industries.  The report concedes, however, that attribution to a specific country can be difficult because it is often based on circumstantial evidence, such as the fact that the IP addresses for these computer network intrusions originate in that country.

Some examples of cyber-espionage documented in the report include:

  • In a February 2011 study, McAfee attributed an intrusion set they labeled “Night Dragon” to an IP address located in China and indicated the intruders had exfiltrated data from the computer systems of global oil, energy, and petrochemical companies. Starting in November 2009, employees of targeted companies were subjected to social engineering, spear-phishing e-mails, and network exploitation. The goal of the intrusions was to obtain information on sensitive competitive proprietary operations and on financing of oil and gas field bids and operations.
  • In January 2010, VeriSign iDefense identified the Chinese Government as the sponsor of intrusions into Google’s networks. Google subsequently made accusations that its source code had been taken—a charge that Beijing continues to deny.
  • Mandiant reported in 2010 that information was pilfered from the corporate networks of a US Fortune 500 manufacturing company during business negotiations in which that company was looking to acquire a Chinese firm. Mandiant’s report indicated that the US manufacturing company lost sensitive data on a weekly basis and that this may have helped the Chinese firm attain a better negotiating and pricing position.
  • Participants at an Office of National Counterintelligence Executive conference in November 2010 from a range of US private sector industries reported that client lists, merger and acquisition data, company information on pricing, and financial data were being extracted from company networks—especially those doing business with China.

In addition to Chinese economic espionage, the report also cites the June 2010 arrest of ten Russian foreign intelligence service employees who were tasked with collecting economic and technology information.  In certain cases, according to the report, allies and other countries enjoy broad access to U.S. Government agencies and the private sector and conduct economic espionage to acquire sensitive U.S. information and technologies.

Future entries in this series will focus on the cost of these cyber attacks on the U.S. economy and what is being done to limit it.


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.