Intellectual Property Theft and the Unmeasurable Loss
Right now, we’re seeing a very high level of public awareness around cyberattacks that target personal information. The hacking of JPMorgan Chase, Anthem and United Airlines, for example, have attracted significant media attention, and been at the center of high-profile follow-up investigations.
But what if there was another, potentially more damaging kind of cyberattack on the rise? One without mandatory disclosure laws, and that most victims would prefer to keep hidden? How great could the unmeasurable cost be to the US economy?
What I’m describing is the theft of intellectual property (IP), particularly technology – an area in which corporate America currently faces some very serious and well-equipped adversaries.
The Threat from China
Last year, a grand jury in the Western District of Pennsylvania indicted five Chinese military officers for the hacking of six US companies between 2006 and 2014. The victims had been involved in negotiation or litigation with their state-owned counterparts in the PRC, and the defendants – members of PLA Unit 61398 – had stolen IP relating to nuclear power, alternative energy and high-tech manufacturing.
Essentially, the Chinese had entered business discussions with the full strength of their military intelligence service behind them, and stolen technologies and trade secrets that would be of direct benefit to their own economy.
With the lack of disclosure laws, we have no way of knowing how often this happens. Any number of negotiations between US and Chinese companies may have taken place on similar terms, and the Chinese have the advantage because they can effectively divide and conquer. No private enterprise will accuse the PRC of hacking for fear of losing business, and their inaction prevents them from acting collectively against the threat.
We’re potentially looking at a steady exsanguination of corporate America, and one we have no way to measure and mitigate. When our business leaders make deals with the Chinese, they may well think they’re only negotiating with the person at the other end of the table. In reality, as the six companies appearing in the indictment learned, they’re negotiating with a vast and highly capable military intelligence service.
What’s a ‘Common Understanding’, Exactly?
The US government is, of course, aware of the threat from China, and IP theft was a topic of discussion during President Xi Jinping’s first official visit to the States last month. In fact, he and President Obama announced that they have come to a ‘common understanding’ on the issue and agreed not to ‘knowingly’ support commercially motivated cybercrime.
There are flaws in this agreement, however. Firstly, no country ever admits to spying, even when caught red-handed; the inclusion of ‘knowingly’ is effectively an escape clause. Secondly, the agreement is unenforceable: even if one side were to uncover a serious violation, the threatened imposition of sanctions would lead to retaliation and damage to both sides. Thirdly, the attribution of cyberattacks is increasingly difficult as hacking tools and tactics evolve.
In reality, the impressive-sounding agreement is carefully crafted to have multiple meanings. The US sees it as an admission by China of past transgressions and a commitment to stop, which contrasts with a statement made by the Chinese foreign ministry after the 2014 indictment that its government, military and their personnel “have never engaged or participated in cyber theft of trade secrets”. To China, meanwhile, it vindicates a counter-accusation that the US is engaged in cyber espionage against its “government departments, institutions, companies, universities and individuals”.
More generally, it’s undermined by the fact that while the US makes a distinction between the hacking of government and military networks and private enterprises, the Chinese do not. In his speech in Seattle on September 22nd, President Xi stated: “Both commercial cyber theft and hacking against government networks are crimes that must be punished in accordance with law and relevant international treaties.” Until that happens, China has no reason to drop what it sees as another useful tactic to further its power on the global stage.
My prediction is that not much will change in light of the agreement, other than the PLA honing its craft to make it even harder for the US to find proof of commercially motivated cybercrime.
How Should Companies Respond?
Obviously, not many enterprises are likely to eschew business relationships with foreign powers for fear of IP theft alone. For companies holding data on sensitive and economically important technology, however, entering such a discussion should be seen as a risk that requires careful forethought.
It could also be seen as an opportunity to improve IT security and mitigate that risk. The hacking techniques used by Unit 61398 aren’t particularly sophisticated – mostly, they rely on spear-phishing to get inside their targets’ networks. The recent cyberattacks on Anthem and United Airlines may even have been attempts to bolster this capability, which could potentially be undermined by stronger network security and access controls.
We don’t know how much IP theft costs corporate America. We do know, however, that China’s long-term economic plan is dependent on technologies being developed in the US and elsewhere, and that it’ll use any means necessary to achieve its goals.
Surely it makes sense for US companies to do everything they can to level the playing field?
Image:Intellectual Property Theft and the Unmeasurable Loss (iStock/PointImages)