Despite Government Pledge, US Firms Say They Are Left On Own For Cyber Theft Protection

The United States government continues to ratchet up its rhetoric against state-sponsored “cyber” theft of intellectual property, but private firms largely report that they have to take matters into their own hands.

IT professionals remain sceptical about the effectiveness of government initiatives overall despite President Obama’s recent pledge to invest US$19 billion in 2016 to crack down on cybercrime, especially against state-sponsored data thieves.

Rhetoric aside, many CTOs and others responsible for cyber security in the US say it is up to them to protect their trade secrets against data theft in the indefinite future, Bob Gourley, founder of security analyst firm Cognitio and a former technology executive for the US intelligence community, told Intellectual Property Watch.

Among 150 cybersecurity executives surveyed across different industries, only a small percentage said they thought that the US government could protect them, Gourley said.

“I asked questions related to information sharing and its value and perceptions that the government could help enterprises defend themselves,” Gourley said. “Almost 100 percent of the industry chief information security officers [CISOs] surveyed indicated they had given up thinking that the government would ever provide information of use to them.”

As part of a follow-up to the survey, Gourley said he contacted several cyber security professionals that he knew and respected.

“One person said that he had indeed received information from the government that was helpful. Four told me that the only thing they had ever received from the government was old and therefore useless,” Gourley said. “All told me that if they had to give up working with government or working with their ISAC (Information Sharing and Analysis Center), they would give up working with government.”

Some observers and industry experts say there is only so much that the government can do. The assumption that the US government can directly protect US-owned intellectual property from cyber attacks is dubious at best, Clive Longbottom, an analyst for Quocirca, told Intellectual Property Watch.

“It is mainly posturing,” Longbottom said. “Politicians are not in a position to fully understand the nuances and dynamics of information security.”

In the US, locking down security against cyber theft is inherently difficult since governmental organisations hope to both advocate the encryption of information while also demanding access to networks.

“On the one hand, they cry out for measures that will ensure information security within the lines on the map that they believe they have sovereignty over, while trying to insist that back doors are left in place for the NSA, CIA, and FBI to be able to use. These are obviously at complete odds with each other,” Longbottom said. “Even if the politicians did come up with a security framework for organisations to work within, it would take so long to be agreed that it would be well out of date before it was enacted. It would also provide the blueprints for any individual, corporate or sovereign hacker to attack the specific vectors that would be the most vulnerable.”

Despite industry scepticism, the US government says it is committed to protecting firms against cybercrime. US President Barack Obama, for example, announced the Cybersecurity National Action Plan to boost cybersecurity funding by more than a third in an editorial published in the Wall Street Journal earlier this year.

“Our advantage is threatened by foreign governments, criminals and lone actors who are targeting our computer networks, stealing trade secrets from American companies and violating the privacy of the American people,” President Obama wrote.

US Congressional representatives recently introduced proposed legislation intended to make it easier for companies to report and seek legal claims against alleged perpetrators of intellectual property theft, called the Defend Trade Secrets Act (“DTSA”). The bill, among other things, was created to allow US companies to pursue claims as plaintiffs in US Federal Courts when they suspect that trade secrets were stolen.

The US government has also become more vocal about applying political pressure to prevent state-sponsored cyber theft, especially against China.

Late last year, for example, Director of US National Intelligence James Clapper singled out China as a source of data theft of intellectual property.

“China continues to have success in cyber espionage against the US Government, our allies, and US companies,” Clapper wrote.

While not specifically related to cyber theft, US investigators say Mo Hailong, a Chinese citizen, pleaded guilty to stealing trade secrets relating to crop production in a US federal court earlier this year.

More recently, US Navy Lieutenant Commander Edward Lin was arrested in April on accusations that he was spying for Taiwan.

While the effectiveness of the US crackdown on trade secret theft remains controversial, China is often cited by security experts as a particularly dangerous cyber threat.

“As for China, I think there’s no question that they have put a lot of successful effort into stealing technology from other countries,” Henry B (Hank) Hotz, CTO for Secure Channels, told Intellectual Property Watch. “There’s also no real question that they are the most prolific attacker in cyberspace.”

Some observers say organisations outside of the government can use money on offer by the US government to develop anti-cyber theft initiatives. Advanced encryption networks as part of a network of data protected against intrusions from outside of the US is one possible solution.

“I think we need enough political will to keep technical initiatives in the private sector for cyber theft protected funded,” Hotz said. “I hope the ambiguous real-world results don’t prevent funding that the government might offer if the technology we invent in the private sector does not precisely meet the stated political goals.”

Regardless of what the US government does hope to accomplish, a crucial takeaway is that CEOs of organisations remain responsible for the cyber theft and any loss of intellectual property from data theft, Gourley said.

“The most important thing any policy-maker, executive or technologist should know about the administration’s plan is that it does not change who is responsible for defending your enterprise. Companies have CEOs for a reason: they are responsible for all good and bad that happens to the company and are responsible for reducing digital risk,” Gourley said. “They can be helped internally by a chief risk officer, a chief information officer, and a chief information security officer and externally by security professionals and organisations that review and assess. But responsibility to defend rests in one place, the CEO’s office.”

 

Image Credits: US government