Report Says Active Recovery Efforts Could Deter IP Theft By Foreign Attackers

An independent commission focused on the threat of intellectual property from U.S. companies says that between 50 percent and 80 percent of all IP theft originates in China and, in a new report, urges the government to take stronger action against government-sanctioned IP theft. The Commission on the Theft of American Intellectual Property said in the report that the dollar value of all IP stolen from the U.S. in a year could approach the value of all American trade with Asia, a figure in the hundreds of billions of dollars.

The problem of IP theft through various means such as espionage, cyber attacks has been a growing concern for U.S. politicians and policymakers over the last couple of years, although the issue has existed for far longer than that. Congress and the Obama administration have spoken publicly about the problem and have said they will discuss the issue directly with China. The report from the IP Theft Commission, which is led by Jon Huntsman Jr., former ambassador to China, and Dennis Blair, the former director of national intelligence for Barack Obama, lays out the problem in detail and recommends that U.S. officials strengthen their response.

“The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP is ‘the greatest transfer of wealth in history’,” the report says.

The nature of IP theft makes it impossible to pin down an exact dollar value for stolen property, but security experts and politicians agree that it represents a serious threat. The commission’s report recommends a broad range of actions to address the problem, including denying access to the U.S. banking system to companies that repeatedly engage in IP theft, giving more green cards to foreign students who earn relevant science and technology degrees in the U.S. and amending the Economic Espionage Act to allow companies to sue for damages from IP theft.

But the section that’s likely to draw the most interest in the security community is the one that recommends U.S. businesses have the ability to use electronic means to retrieve stolen files from attackers’ networks.

“Without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information,” the report says. “Both technology and law must be developed to implement a range of more aggressive measures that identify and penalize illegal intruders into proprietary networks, but do not cause damage to third parties. Only when the danger of hacking into a company’s network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance.”

These recommendations are treading close to the line of what’s become a very contentious topic in the security community: hacking back. Many security experts take a dim view of this idea, pointing out that there are more potential drawbacks than advantages in such operations. Attacking other computers or networks is illegal, of course, and private sector companies attempting to go after stolen IP on their own could easily open themselves up to prosecution as well as more hostile actions from attackers. The other issue is that finding out who the actual source of an attack is can be extremely difficult.

“Attribution is so hard with today’s open Internet, the lack of authentication and the way protocols were developed,” Randy Sabett, counsel at ZwilGen, a Washington, D.C., law firm, told Threatpost earlier this year. “You don’t know who the ultimate source of the attack is.”

Discussing the idea of compromised companies going after the attackers, Dave Aitel, CEO of Immunity Inc., said on Fox Business Friday that the concept is flawed.

“Frankly, it’s a daft response to this kind of activity,” Aitel said.

The commissioners carefully negotiate those waters, though, by recommending the deployment of watermarking and other technologies that can determine when files leave an authorized network and identify where they wind up.

“For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved,” the report says.

The IP Theft Commission report stops short of recommending that the U.S. government deploy its intelligence and military cybersecurity assets to help private companies recover their stolen IP. There have been calls for the government to conduct such operations, but current U.S. policy and law make these campaigns unlikely, at least as things stand now. That may change if things continue on their current path, particularly with regard to China.

The commission’s report mentions a number of countries as being major actors in IP theft operations against the U.S., but singled out China as the worst offender.

“A confluence of factors, from government priorities to an underdeveloped legal system, causes China to be a massive source of cyber-enabled IP theft. Much of this theft stems from the undirected, uncoordinated actions of Chinese citizens and entities who see within a permissive domestic legal environment an opportunity to advance their own commercial interests. With rare penalties for offenders and large profits to be gained, Chinese businesses thrive on stolen technology,” the report says.

If that sounds a lot like some of the descriptions of the cybercrime problem from several years ago, it should. The lack of modern anti-cybercrime laws in many countries has allowed the criminal underground to flourish, and the IP theft report describes many of the same conditions with regard to economic espionage.

Image from Flickr photostream of Dirk Gently.

Suggested articles