13 May 2015

Obama’s Much Publicized 2013 Anti-Cyber Espionage Plan Has Not Done Much to Stop Cyber Spying

Nicole Perlroth
An Obama plan to stop foreign hackers has mixed results

NEW YORK — Two years ago, the Obama administration announced a new strategy to curb online espionage.

The five-point strategy came after a 2013 article in The New York Times about how the newspaper had been breached by Chinese hackers. The Times, working with a security company, also concluded that thousands of other American companies had been hacked by a Chinese military unit in Shanghai.

The White House said it would increase public awareness of the threat, encourage the private sector to increase its defenses, focus diplomacy on protecting trade secrets overseas, improve trade secret theft legislation, and make investigations and prosecutions of corporate and state-sponsored trade secret theft a top priority.

Since then, public awareness is up and so is spending. But the hacking continues.

The private sector spent $665 million on data loss prevention last year, according to the technology research firm Gartner, with a 15 percent increase expected this year. On the legislative front, Congress strengthened penalties for those convicted under the Economic Espionage Act, raising the maximum fine for individuals convicted to $5 million from $500,000. And in terms of law enforcement, the FBI lists digital crime, including intrusions that result in trade secret theft, as its third priority, just behind terrorism and counterintelligence. The agency reported a 60 percent increase in trade secret investigations from 2009 through 2013.

But diplomatic efforts to engage China on the topic have largely failed. China’s response has simply been that it, too, is a victim of online attacks. And online espionage shows little sign of abating. Last year, 18 percent of the 1,598 confirmed breaches analyzed by Verizon were used for online espionage, compared with 22 percent of 1,367 attacks in 2013. Senator Sheldon Whitehouse, a Rhode Island Democrat, told a Senate Judiciary Committee hearing last year that 1 to 3 percent of US gross domestic product was still lost, every year, through trade secret theft.

“There hasn’t been any change,” said James A. Lewis, a digital security expert at the Center for Strategic and International Studies in Washington. “There’s a lot more we can do. But we haven’t reached our pain point for taking more drastic steps on cyberespionage, and the Chinese haven’t reached their pain point for stopping it.”

The Justice Department is under significant pressure to bring more trade secret cases under the Economic Espionage Act. But it is incredibly difficult to bring cases against sophisticated hackers, who are not only smart enough to cover their tracks but also smart enough to live outside the United States. It is equally difficult to serve court summonses to the Chinese corporations that investigators say they believe are benefiting from stolen trade secrets.

In 2013, the Justice Department brought several indictments that charged Chinese nationals with stealing trade secrets for the benefit of corporations in China, but none of the cases involved trade secrets obtained through online attacks. All the indictments involved either employees or former employees accused of passing their employer’s trade secrets to a company in China, or people who paid an employee to do so.

The story was similar in 2014. During the first nine months of the year, the Justice Department reported 20 new prosecutions under the Economic Espionage Act — a 33 percent increase from 2013 — and several convictions, but only two of the indictments involved trade secrets theft via digital intrusions.

One, the landmark indictment filed last year against five members of the People’s Liberation Army for hacking US companies, was largely symbolic, given that the United States has no jurisdiction in China.

In another, in August, a federal grand jury in California indicted a Chinese businessman on charges of conspiring to steal military secrets by hacking into Boeing and other US companies. The defendant, Su Bin, is awaiting extradition in Canada.

The Justice Department’s biggest success last year was when prosecutors obtained the first-ever federal jury conviction for economic espionage charges against two Americans and a corporation accused of selling DuPont trade secrets to a state-owned company in China.

But that was not a hacking case. The two were charged with stealing trade secrets the old-fashioned way, by poaching former DuPont employees. And in that case, too, the Justice Department’s efforts to bring charges against two Chinese citizens who played a central role in the theft, and the Chinese state-owned companies that benefited from them, have stalled.

Trying another tack, President Obama signed a new executive order in April that established the first sanctions aimed at curbing foreign cyberespionage. The order authorized financial and travel sanctions against anyone participating in online attacks that posed a threat to the “national security, foreign policy, or economic health or financial stability of the United States.” Until those sanctions are exercised, experts say, the only option for curbing digital espionage may be patient diplomacy.

“They don’t live here, so we can’t arrest them, and we’re not going to go to war over this,” Lewis said. “So the key is consistent persuasion and pressure. It may be slow and it may not work. But there is no other alternative.”

No comments: