LAGUNA BEACH, Calif. -- After the publication of the Mandiant report earlier in the year linking China's People's Liberation Army to ongoing and massive cyberattacks against U.S. corporations, government agencies, universities, and other organizations, policy makers and industry experts have been trying to figure out how to better secure their intellectual property against cyberattacks.
Call it a work in progress.
"The frustration for me is that in the U.S., parties who have valuable intellectual property are not adequately protecting their data," said Richard Marshall, former director of Global Cyber Security Management for the Department of Homeland Security and a former NSA information security official. He was speaking at the Future in Review conference here. "There are technologies that can be used to protect our intellectual property, but you need to do it here before we start pointing fingers. We should be the aggressor in protecting our intellectual property."
Some of the technologies include embedding a beacon on exfiltrated data to identify the sources of attacks, modifying files so they self-destruct when stolen and even planting code on stolen data that could destroy the perpetrators' systems.
The Cyber Intelligence Sharing and Protection Act (CISPA) included provisions that would give some immunity to private organizations engaging in "offensive" cybersecurity activities, but failed to pass last year. It has since been revived by House Republicans but the White House is on record pledging to veto the bill unless more privacy and civil liberties protections are included.
"If you are worried about your crown jewels disappearing, remember that every time you improve your firewall, they find a way to get through it," said Mark Andersen, CEO of Strategic News Service and host of the Future in Review. "Technology is not going to solve it."
And another dilemma facing companies: The conventional approach may no longer be enough. In testimony earlier this month before the Senate Judiciary Crime and Terrorism Subcommittee, Stewart Baker, former general counsel to the National Security Agency, expressed the same concern regarding whether technology is the ultimate solution.
"We've been living in a dream world, thinking that if we could just fix all the security holes that hackers have been exploiting, then our networks would at last be secure," Baker told the committee. "But if that dream were ever achievable, it looks hopeless today." Baker told Congress that hackers are putting more resources into finding security holes and that the low-risk/high-reward of exploiting networks is attracting "everyone from nation states to organized crime." He now advocates getting private companies, not just law enforcement, involved in investigating cybercrime. "They are institutions that allow the victim of a crime to supplement law enforcement," he said.
The idea of a global treaty among nations, similar to the Treaty on the Non-Proliferation of Nuclear Weapons, has been proposed as a way to deter intellectual-property theft and mutual cyberdestruction by nation-states.
"We must have an international agreement on cooperation, non-proliferation and non-use of cyber weapons. I believe that nation-states will soon come to realize the risks of unfolding cyber weapons, and then put an end to, if not developing, at least the application and distribution of cyber weapons," said Eugene Kaspersky, CEO of the Russian security firm the bears his name.
The source of cyberattacks is more complex than just nation-states, however.
"The [non-proliferation treaty] is an interesting intellectual decision but the actors not necessarily nation-states," Marshall said. "They are rogues. Some are state-sponsored, such as by Russia. It's like the Mafia -- we will protect you but we may call on you to do some dastardly deeds for us, and then they say they are powerless to stop the rogues. So it's larger than just dealing with nation-states, so borrowing a legal framework that started 300 years ago is not easy."
Private corporations in China, for example, are using "complex tiers of agents who hire the hackers" for industrial espionage, as reported by The New York Times.
Andersen believes that the way to address the rampant cybertheft of intellectual property is through economic sanctions. "It's an economic problem. A nation whose economy is based on stealing crown jewels is like a heroin addict...it can't come off it," he said. Andersen advocates placing tariffs on goods from countries that are proven to steal vital intellectual property from corporations and governments.
Another economic approach could be requiring companies that want to be listed on the New York Stock Exchange to prove that the company was not built with stolen intellectual property, Marshall said.
The Committee on Foreign Investment in the United States (CFIUS) has also played a role in protecting U.S. interests, as in preventing Chinese telecom equipment maker Hauwei from acquiring a U.S. company. And, as part of the potential Softbank acquisition of Sprint, U.S. regulators are looking at preventing Huawei equipment from becoming part of the U.S. infrastructure, and Softbank has agreed to have a U.S.-approved board member, The Wall Street Journal reported.
What's clear is that preventing rogue states or private entities from purloining the crown jewels that allow companies like Apple or Intel to compete in the marketplace, or a cyber-Pearl Harbor or September 11, will continue to be a major challenge on many fronts.