IP theft: Declining, or just more stealthy?

Eighteen months ago, President Obama and Chinese President Xi Jinping announced, with considerable fanfare, an agreement aimed at curbing economic espionage.

According to the Sept. 25, 2015 White House press release, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

So, with Xi due to meet with President Trump in early April, an obvious question is: Has the agreement been effective?

The reviews on that are mixed, but there is general agreement that while it hasn’t stopped, the theft of intellectual property (IP) by the Chinese against the US is not as rampant as it was several years ago when The Commission on the Theft of American Intellectual Property estimated total losses, including jobs, competitiveness, stock value, market share, in the hundreds of billions, and former National Security Agency director Gen. Keith Alexander famously called it, “the greatest transfer of wealth in human history.”

Robert Silvers, writing on the Lawfare blog, called the statement, “a landmark concession” by the Chinese, and said in the months since, multiple researchers and analysts had concluded that the agreement, “coincided with a significant downturn in Chinese hacking activity.”

Not exactly. A report last June by FireEye iSIGHT Intelligence, concluded that while “unprecedented action by the US government” was a factor in the decline, it actually began in the middle of 2014 – more than a year before the Obama/Xi agreement – and was also due to political and military reforms in China, as well as widespread exposure of the country’s economic cyber espionage.

A high-profile example of that exposure came more than two-and-a-half years before the agreement, in February 2013 when Mandiant (since acquired by FireEye) issued a report that named a specific unit of the People’s Liberation Army (PLA) dedicated to cyber espionage, which it said had been targeting 141 organizations in the US and other countries, in some cases since 2006.

And it was in May 2014 that the US Department of Justice indicted five members of that PLA Unit 61398.

That and other factors have given John Quinn, former Far East specialist for the CIA, a more tempered view of the impact of the agreement. “I would characterize it as a work in progress, but a good start,” he said.

“It certainly can, and should, be refined and improved. There are several obvious issues regarding the lack of enforcement mechanisms, including the problem of monitoring compliance,” he said, noting that President Ronald Reagan, when dealing with Soviet leader Mikhail Gorbachev in 1986, “adopted the well-known ‘trust but verify’ posture.”

Indeed, according to another report, released earlier this year by Cybereason, monitoring compliance (as in, “trust but verify”) is, if anything, more difficult now due to what the company says is a trend toward nation states “outsourcing” cyber espionage to private firms.

According to the report, most countries, including US allies, do it, but in a more limited way than China and Russia, which, “outsource wholesale hacking operations to individual groups and companies.”

The use of what are called, “cutouts and sympathetic agents to collect information on their behalf,” makes attribution of the attackers more difficult and also gives the governments “plausible deniability,” the report said.

That trend, said Israel Barak, CISO of Cybereason, means the conclusion that economic espionage has decreased is “problematic.”

“Fewer attempts might mean they already have access,” he said. “The amount attributed to cyber crime in manufacturing, health care and other industries is constantly on the rise.”

Barak said the trend is worrisome on another level as well, since these private hacking operations are expanding their attacks well beyond what they do for government. “We’re starting to see a tipping point here,” he said. “Hackers who contract with the government are making (through other “freelance” cyber attacks) four to five times what those working for the government make.

“The only thing that restrains them is the fear that they will be caught and punished for using their skills outside government. If that fear is lessened, it will expand exponentially,” he said.

All of this has some experts suspecting that cyber espionage hasn’t decreased in any meaningful way – that it has just become less visible and more targeted.

As Kevin Murray, director at Murray Associates, put it, “once someone starts closely watching the cookie jar, the thief is forced to become more crafty.”

Kevin Murray, director at Murray Associates

That would align with what former Department of Homeland Security secretary Michael Chertoff, now chairman of the security consultancy Chertoff Group, reportedly said at last summer’s Aspen Security Forum – that the word from the Chinese government to hackers was likely along the lines of, “If there’s something worth stealing, do it, but do it in a way that’s not so obvious.”

Quinn added that, “it would be naïve to expect the PRC to abandon economic espionage efforts entirely. The Chinese have engaged in espionage for more than 2,000 years, dating back to the time of Sun Tzu,” who lived from 544–496 BC.

While he doesn’t think it will become “quieter,” Quinn said he thinks it will be, “more advanced and low key.”

He said the relatively open nature of American society is a major reason US corporations are vulnerable to theft of their IP. “Much of the intelligence collection is still open source (OSINT),” he said, “and comes from visiting academics, students, scientific gatherings and commercial trade fairs. When analyzed properly the OSINT is used to develop a more target list for further exploitation. This is where the more clandestine methods begin.”

Quinn and others note that while China and Russia remain the prime practitioners of economic espionage, it needs to be noted that other countries – including US allies – do it as well.

Quinn referenced “Friendly Spies,” a book by Peter Schweizer (also author of the more recent and much more controversial “Clinton Cash”) published 24 years ago, in 1993, that is subtitled, “How America’s allies are using economic espionage to steal our secrets.”

In that book, Schweizer quotes Pierre Marion, France’s first director of the Directorate-General for External Security, saying that being military or diplomatic allies does not extend into the economic sphere. “In economics, we are competitors, not allies,” he said.

If economic cyber espionage against the US is to be stopped, or even brought under control, it will take both domestic and international efforts, experts say.

Barak said the problem, “really has to be tackled through international norms. The vast majority is outside the hands of the private sector, which can’t deal with it.”

Quinn said he thinks a review of more serious Chinese espionage cases should be used to, “create a study or compilation of lessons learned. Additionally, create an awareness of Chinese intelligence gathering activities and suggested countermeasures for US commercial firms.”

He said Trump could suggest intelligence sharing between the US and China, and perhaps create a bilateral group, “to conduct regular reviews of economic and cyber espionage cases. The same group should also have counterparts appointed in China.”

Murray, however, contended that the private sector needs to be much more effective in protecting itself. He pointed CSO to a 2015 blog post in which he declared: “We fight like hell for our freedom, but we let the world pick our intellectual pockets.”

Murray said the “punish-the-spy” model isn’t enough – that corporations should be held accountable as well, for failure to protect their assets.

“We need a law creating business counterespionage security standards, with penalties for inadequate protection,” he said, arguing that the US already, “successfully employs the same concept with medical and financial record privacy.”

Ultimately, Quinn said, the US should not depend on agreements – especially with adversaries. He cited a quote attributed to McDonald’s founder Ray Kroc: "Contracts, like hearts, are meant to be broken.”