Commission Calls For ‘Aggressive’ Anti-Hack Laws

By | May 23, 2013

Posted in: Network Security Trends

A high-level commission into the theft of US intellectual property (IP) has made wide-reaching recommendations on tightening cybersecurity, including “aggressive” changes to the law to bring it  up to date with rapidly evolving computer crime.

The Commission on the Theft of American Intellectual Property, chaired by former director of national intelligence Dennis Blair and former ambassador to China Jon Huntsman, said the scale of the theft ran to hundreds of billions of dollars a year, and the main culprit was China.

The commission’s report, published by the National Bureau of Asian Research, singled out hacking as one of the most-used ways of carrying out the theft of IP, which affects a range of industries including automobiles, automobile tires, aviation, chemicals, consumer electronics, defense systems, electronic trading, industrial software, and pharmaceuticals.

“A confluence of factors, from government priorities to an underdeveloped legal system, causes China to be a massive source of cyber-enabled IP theft,” the report said. “Much of this theft stems from the undirected, uncoordinated actions of Chinese citizens and entities who see within a permissive domestic legal environment an opportunity to advance their own commercial interests. While traditional industrial espionage techniques have been used extensively, cyber methods for stealing IP have become especially pernicious.”

The report added that in a world where valuable assets were intangible and easy to transfer over networks, espionage had taken on a new dimension. “The size and scale of recent attacks point to state sponsors, meaning that such events are no longer being perpetrated by ad hoc groups operating in the shadows but are much more organized and nationalized,” it said.

The commission urged companies to take a range of measures to mitigate vulnerability, including network surveillance, sequestering of critical information, and the use of redundant firewalls.

But it noted that such measures have proved largely ineffective in defending against targeted hackers, who it said were hired specifically to pursue American corporations’ intellectual property.

“A different concept for security, known as threat-based deterrence, has been identified as a means to protect the most important information in corporate or government networks,” the report said.

The commissioners said effective steps against targeted attacks had to be based on the reality that a perfect defense against intrusion was impossible. “The security concept of threat-based deterrence is designed to introduce countermeasures against targeted hackers to the point that they decide it is no longer worth making the attacks in the first place . . . Conceptual thinking about and effective tools for threat-based deterrence are in their infancy, but their development is a very high priority both for the US government and for private companies.”

The commission said legislation needed to be changed “to implement a range of more aggressive measures that identify and penalize illegal intruders into proprietary networks, but do not cause damage to third parties. Only when the danger of hacking into a company’s network and exfiltrating trade secrets exceeds the rewards will such theft be reduced from a threat to a nuisance.”

The report said current law and law-enforcement procedures had not kept pace with the technology of hacking and the speed of the Internet. “Almost all the advantages are on the side of the hacker; the current situation is not sustainable. Moreover , entirely defensive measures are likely to continue to become increasingly expensive and decreasingly effective, while being unlikely to change the cost-benefit calculus of targeted hackers away from attacking corporate networks.”

The commission said the Department of Justice and the  FBI should be given additional  resources to investigate and prosecute cases of trade-secret theft, especially those enabled by cyber means.  “These resources are especially needed to investigate cases where the theft was perpetrated against small businesses and start-ups,” it said. “Start-ups and small businesses are an indispensable part of the US culture of innovation, are being increasingly targeted by IP thieves, and have fewer resources to defend themselves.”

You May Also Be Interested In: