Cybertheft is a tremendous problem for governments, companies and individuals. While actors in the space are pursuing a range of objectives, this post looks at cybertheft of intellectual property and its effects on industry. Thus, the huge losses incurred by governments and by individuals outside of the business arena are not addressed nor are the misinformation campaigns of recent years.
In 2011, The Council on Foreign Relations published an interview with Dmitri Alperovitch, then McAfee’s vice president of threat research. The interview was titled “Cybertheft and the U.S. Economy”. See Council on Foreign Relations, Cybertheft and the U.S. Economy, August 11, 2011, https://www.cfr.org/interview/cybertheft-and-us-economy. The summary introduction paragraph summed up the situation as follows:
“In August 2011, the cybersecurity firm McAfee released an eye-opening report (PDF) detailing its investigation into a multi-year, most likely state-sponsored cyberattack that includes intrusions into the U.S. federal government and defense contractors, resulting in the theft of massive stores of intellectual property. The report’s author and McAfee’s vice president of threat research, Dmitri Alperovitch, describes these attacks, known as Operation Shady RAT, as a profound threat, indicative of a larger trend that may result in ‘the complete destruction’ of the U.S. economy. Rather than focus on the potential for a theoretical ‘cyber Pearl Harbor,’ he says that U.S. policymakers should use all of the nation’s power to stem the steady theft of national secrets.”
A 2019 report prepared by Price Waterhouse Cooper for the European Commission examined the scope of the cybertheft problem for businesses in the EU. See PWC, Study on the Scale and Impact of Industrial Espionage and Theft of Trade Secrets through Cyber, 2019, https://www.pwc.com/it/it/publications/docs/study-on-the-scale-and-Impact.pdf. The estimated cost to EU industry was summarized in the conclusion on the last page:
“Estimates of February 2018 provide details of the negative impacts at the European level of cyber theft of trade secrets: about €60 billion lost in economic growth, resulting in a loss of competitiveness, jobs and reduced R&D investments. More specifically, 289,000 jobs could be at risk in 2018 in Europe and 1 million jobs could be at risk by Stakeholders emphasized that direct impacts account for about 10% of costs the company will have to face. Therefore, the remaining 90% of costs are due to indirect impacts that are effectively measured and assessed 5-6 years after the cyber-intrusion.”
There have been many other reports looking at the costs and problems from cyber theft. See, e.g., U.S. Department of Justice, REPORT OF THE ATTORNEY GENERAL’S CYBER DIGITAL TASK FORCE, 2018, https://www.justice.gov/archives/ag/page/file/1076696/download.
But efforts at cybertheft have continued and intensified. See, e.g., New York Times, U.S. Accuses Hackers of Trying to Steal Coronavirus Vaccine Data for China, July 20, 2020, https://www.nytimes.com/2020/07/21/us/politics/china-hacking-coronavirus-vaccine.html, (“The Justice Department accused a pair of Chinese hackers on Tuesday of targeting vaccine development on behalf of the country’s intelligence service as part of a broader yearslong campaign of global cybertheft aimed at industries such as defense contractors, high-end manufacturing and solar energy companies.”).
Theft of intellectual property and other cybertheft actions face civil and criminal penalties in many countries, including the U.S. and other WTO Members. U.S. law also permits blockage of imports that violate IP holders rights (e.g., patents). The WTO since its launch in 1995 has had a Trade Related Aspects of Intellectual Property Rights Agreement, which incorporates provisions from a range of IP conventions, and requires WTO Members to provide adequate enforcement of such rights. The WTO has dispute settlement provisions which permit challenging trading partners who are not enforcing intellectual property rights. In addition, the U.S. has worked through its Special 301 authority to work with governments where the U.S. doesn’t perceive adequate enforcement occurring. It has also entered into bilateral agreements (e.g., U.S.-China Phase I Agreement) to address enforcement concerns including on cybertheft of intellectual property.
Despite these tools and the vast sums spent by industry trying to protect its intellectual property, the problems continue and in many ways are intensifying.
Experts like Dmitri Alperovitch have put forward a series of proposals for U.S. Congressional and Executive Branch action in 2022 to improve the situation for U.S. companies. See January 14, 2022 email from Silverado Policy Accelerator, Inc. (Mr. Alperovitch is Co-founder and Executive Chairman), Silverado’s 2022 Cybersecurity Policy Priorities for the Legislative and Executive Branches. The contents of the email are copied below (NOTE: I serve as one of a number of strategic advisors to Silverado but was not involved on the cybersecurity issues).
“To the friends of Silverado Policy Accelerator,
“The past year witnessed several notable bipartisan policy advances in the cyber arena. In March, Congress authorized $1 billion for the Technology Modernization Fund as part of the bipartisan American Rescue Plan to support new investments in federal agencies’ cybersecurity infrastructure. In May, the Biden administration released its Executive Order on Improving the Nation’s Cybersecurity, which included provisions to increase security standards for vendors who supply high-risk software through the government acquisition process and a number of critical technology implementation requirements that raise the bar for security across federal government networks. Finally, the Infrastructure Investment and Jobs Act, passed by Congress in November, included $1.9 billion for a range of cyber-related investments.
“Although these bipartisan initiatives collectively represent a historic investment in the nation’s cybersecurity, there is much still to do to ensure that government agencies—as well as American companies and organizations—are protected from cyber attacks. As the legislative and executive branches look ahead to the coming calendar year, Silverado Policy Accelerator has compiled its own list of six policy priorities that deserve particular attention in 2022 (included below).
“Additionally, please join us tomorrow, January 13 from 9:00-10:00 am ET as Silverado’s Co-Founder and Executive Chairman Dmitri Alperovitch sits down with Congresswoman Yvette Clarke (D-NY), Congressman John Katko (R-NY), DHS Under Secretary for Policy Robert Silvers, and the FBI Cyber Division’s Assistant Director Bryan Vorndran to hear their perspectives on cybersecurity policy priorities for the coming year. You can register for tomorrow’s event here.
“A recording of tomorrow’s event will be available on Silverado’s website following the live broadcast.
“* * *
“Silverado’s 2022 Cybersecurity Policy Priorities for the Legislative and Executive Branches
“1. Passage of a comprehensive federal cyber incident reporting law
“In light of the 2022 National Defense Authorization Act not including provisions requiring companies to report hacks and ransom payments to the government, Congress should consider alternative paths to enacting a mandatory cyber incident reporting requirement in 2022. Such a law should require major private companies, including critical infrastructure entities, to report technical indicators associated with breach attempts to the Cybersecurity and Infrastructure Security Agency (CISA). CISA should also build the architecture to immediately pass the information on to other agencies with a need to know, such as the FBI and sector-specific relevant agencies. Rapid access to these incident reports by CISA and FBI, among others, is necessary to allow the government to have a clear view into adversary campaigns targeting the U.S. and to support timely federal action. Such legislation is critical to provide insights to the government about the true nature of the threat to the private sector in order to take appropriate deterrent action (criminal investigation, cyber offense, sanctions, etc), as well as to help warn and notify other victims or vulnerable organizations who may not be aware that they had been targeted.
“2. Provide CISA with the appropriate authorities and resources to eventually become the operational federal CISO, or Chief Information Security Office, for the civilian federal government (excluding DoD and IC)
“Congress took an important step toward centralizing federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission. The long-term goal for CISA should be to evolve into an operational cybersecurity shared services provider for most civilian federal government agencies, taking over fully or partially their cybersecurity operations. Achieving this objective would result in streamlined and more effective cybersecurity efforts, centralized accountability and a higher standard for security across the government.
“Congress should support CISA’s ongoing efforts in the following ways:
- Provide CISA with the resources and authority to create a 24/7 threat hunting operation center to search for intrusions on federal networks.
- Authorize CISA to conduct a trial in which it assumes responsibility for running cybersecurity operations of a small executive agency. The trial would allow the government to gauge what sort of additional resources CISA would need to be able to evolve into an operational Chief Information Security Office (CISO) for the civilian federal government.
- Create budgetary and FISMA compliance incentives for federal agencies to outsource their cybersecurity operations to CISA, turning it into a Shared Service Provider for cybersecurity.
- Provide CISA with the appropriations that are commensurate with its growing importance by reallocating resources from agencies that opt into the Shared Service Provider model.
“3. Adopt speed and outcome-based metrics to measure agencies’ response time to cyber threats
“In cyberspace, the only way to reliably defeat an adversary is to be faster than they are. For this reason, Congress should require federal agencies to adopt speed-metrics that measure agencies’ response to cyber threats based on the time it takes to begin and complete fundamental defensive tasks.
“Through legislation, Congress could require agencies to adopt speed-based metrics by mandating that they collect data on the average time it takes to perform three fundamental defensive actions: (1) detecting an incident; (2) responding to an incident; and (3) fully mitigating the risk of high-impact vulnerabilities. Taking these measurements should be as simple as recording the times of the initial discovery of the event (intrusion or vulnerability) and the time when the investigation or mitigation action is finished. Thus, it should require minimal additional resources to implement. Congress could also include a “recoverability metric” to measure agencies’ ability to recover data in the event of a ransomware attack or major cyber incident.
“Over time, these metrics would provide objective and diachronic measurement of an agencies’ incident response capabilities that they could report to CISA, OMB, and the relevant oversight committees in Congress. If the metrics prove effective at driving the right behavior to decrease agencies’ response time to cyber threats, Congress should also consider models to extend their adoption by the private sector.
“In addition to these fundamental intrusion and mitigation metrics, CISA should also be given the authority to develop new metrics beyond these fundamental intrusion and mitigation ones to respond to changes in the threat and defense landscape. To incentivize agencies to drive down the times it takes to discover and respond to intrusions or vulnerabilities, CISA should also implement a civilian-government-wide annual awards program to publicly acknowledge agencies and their leaders who achieve the best metrics.
“4. Strengthen the executive branch’s authority to sanction foreign cryptocurrency exchanges that fail to comply with basic “Know Your Customers” and anti-money laundering requirements
“Ransomware criminals rely on widely-available and largely anonymous cryptocurrency such as Bitcoin to collect hundreds of millions of dollars in ransom payments each year and to launder ransom payments into fiat currencies without risk of disclosing their identities to victims or law enforcement. Although U.S.-based exchanges are required by law to comply with robust “Know Your Customer” (KYC) and other anti-money laundering regulations, foreign exchanges have been slow to adopt similar requirements. The lack of widespread compliance undermines the efficacy of the U.S.’s and other like-minded governments’ efforts to clean up the global cyber ecosystem, since malicious actors can easily circumvent security requirements simply by using less secure foreign exchanges.
“The United States should pursue a two-pronged strategy to level the international playing field. First, it should work with existing and new trading partners to ensure they have adequate KYC and AML safeguards in place for cryptocurrency exchanges based in their jurisdictions. Second, the executive branch should explore its ability to sanction foreign cryptocurrency exchanges that fail to comply with minimum KYC and other anti-money laundering requirements or that refuse to cooperate with U.S. law-enforcement on investigations.
“The Treasury Department currently has broad authority to sanction specific foreign exchanges based on evidence that they cooperate with prohibited nations or entities, but it does not have the authority to sanction exchanges for non-compliance with KYC and AML regulations. Granting them such authority explicitly would likely encourage foreign institutions to implement these regulations in order to avoid the prospect of sanctions.
“5. Incorporate cyber-specific details into OFAC’s SDN list
“The most difficult task facing many foreign cyber threat actors is procuring anonymous, reliable, fast, and long-lasting infrastructure (such as domains and cloud servers) to support malicious cyber attacks. These actors frequently go to great lengths—including registering shell companies and developing complex anonymous payment mechanisms—to disguise their activity, since using stolen bank accounts and credit cards for payment often results in the rapid shutdown of their infrastructure once the chargebacks start being reported. In addition, threat actors are increasingly taking advantage of legal constraints on the U.S. intelligence community’s ability to monitor domestic networks to gain access to the U.S.-based cyber infrastructure needed to carry out attacks against both private sector companies and U.S. government agencies.
“The United States needs stronger mechanisms to deter cyber threat actors from leveraging U.S.-based cyber infrastructure to carry out cyber attacks. The Treasury Department’s Office of Foreign Assets Control (OFAC) already maintains a Specially Designated Nationals and Blocked Persons List (SDN), but the list only contains names of cyber criminals and other threat actors and does not include bank account information, credit card numbers or cryptocurrency wallets. As a consequence, the list is not always effective at identifying and blocking cyber threat actors, who almost always use fake names to procure infrastructure.
“The Treasury Department should consider how to add these other identifying financial elements to the SDN to allow payment processors and cryptocurrency exchanges to block adversary-initiated transactions at the point of sale.
“6. Require threat hunting on Defense Industrial Base (DIB) networks
“In March of 2020, the Cyberspace Solarium Commission recommended that Congress direct regulatory action that the executive branch could pursue in order to require companies that make up the Defense Industrial Base, as part of the terms of their contract with DoD, to create a mechanism for mandatory threat hunting on DIB networks. This recommendation was partially authorized in Section 1739 of the FY21 NDAA, but that article only required DoD to conduct an assessment on the feasibility and suitability of a DIB threat-hunting program without requiring DoD to establish the program after the report is issued. Congress should pass the necessary legislation to fulfill the intent of the initial proposal and enable DoD to execute threat hunting operations on the networks of cleared defense contractors that hold sensitive national security information.”
Are other trade remedies needed?
When the only remedies available to companies are individual or company specific and require the cooperation of the country from which cybertheft is occurring (if offshore), there is often a reluctance of companies who have been harmed to identify the problem or pursue legal actions. Fear of retaliation by foreign governments can also reduce the willingness of companies to defend their commercial interests in such situations.
This raises the question whether broader-based remedies should be available to deter such activity and provide a major incentive better behavior by trading partners where such conduct is not being addressed adequately.
For example, where a country provides notice to a trading partner of problems and there is no resolution in a relatively short period (e.g., 90 days), should the complaining party block imports of products in the same general category, prohibit investments in the sector, and/or other actions?
If the cybertheft from companies appears to be for the benefit of a foreign government or at the direction of a foreign government, should there be a loss of MFN treatment for the sector or more broadly?
The concerns around cybertheft could be addressed within the WTO or within bilateral or regional agreements. Considering the length of time that cybertheft has been harming many economies, unilateral action may be warranted pending broader agreement.