Last month the IP Commission Report was published by The National Bureau of Asian Research. This report chronicles the theft of American Intellectual Property and is a great read. The world of InfoSec tends to focus on vulnerabilities and infamous hacks.
The Report surfaces the need to engage in meaningful discussions about a geopolitical economic struggle and a philosophical debate about what is right and wrong and the importance of the rule of law on a global scale within the global economy. First, what I think and then the summary of the article.
WHAT I THINK
Many U.S. organizations are still slow to respond to this threat. Perhaps it is the chasm between executive management and the technical security teams. On one side, the business is managing risk, on the other they are operating controls and managing vulnerabilities. The two are seemingly not able to read from the same page and interpret the current risks to the organization until it is too late.
A new paradigm or security model is required to defeat this threat. Some of those ideas were presented in the report including the support for innovating technologies to identify stolen IP and allow for more aggressive cyber offensive actions. As security professionals we need to come clean with the fact that the bad guys are going to get in again and again. We need to move to a model that can efficiently identify the intrusion and then mobilize response teams to contain, eradicate, and once the law permits, retaliate.
From the U.S. legal system perspective, we need to be able to do more than send Obama to China and ask the PRC President to pretty please stop stealing our IP. I personally wouldn’t mind seeing a 100% tariff on all Chinese goods until they can demonstrate they have effectively curbed hacking our IP. Domestically, when a company is found to be negligent in their controls, they get 20 years of FTC security audits and fines.
ARTICLE SUMMARY: THE PROBLEM
- While not surprising, the People’s Republic of China (PRC) figures prominently in the report as the major base for Intellectual Property (IP) theft (an estimated 70%), it also recognizes that the PRC has indeed gone through much change in the last several decades in evolutions and reforms. In the end, there is a belief that the PRC can and will reform itself over time. The paper is intended to aid in pragmatic recommendations toward those necessary reforms and states as much in its introduction.
- The amount of stolen IP is not knowable. It is still estimated by members of the Commander of the US Cyber Command Center and Director of the National Security Administration to be over 300B annually; that is close to our current annual exports to China, making it “the single largest transfer of wealth in history.”
- The current American response to this issue of condemning countries and trying to prosecute known offenders has been totally inadequate to date.
- Existing laws, legal processes, trade agreements and resources are all too slow and under-resourced to address the problems. Furthermore, the underlying incentives to steal IP is too great for these to work anytime soon.
- With “hundreds of billions” of dollars in stolen IP, the loss of revenue hurts both inventors and investors. America’s total IP value is estimated at 5 trillion. 300B per year in stolen IP is 6% of the IP economic value.
- 77% of the software used in China is pirated, which is worse than the global estimate of 42%, an already staggering number.
- The potential of continued losses stifles future inventors and investors.
- Loss of innovation and investment leads to a reduction of jobs and economic stagnation – as much as 27M jobs in the U.S. in 2012.
- The impact is not just to the G8 countries, but also developing countries which often get the jobs and/or provide the raw materials needed for production. IP theft is not a victimless crime where, like Robin Hood, the poor merely steal from the rich – everyone ultimately suffers.
- This has become a national security issue of the utmost importance.
THE REPORT RECOMMENDATIONS (SHORT TERM)
- Designate the national security advisor as the principal policy coordinator for all actions on the protection of American IP.
- Provide statutory responsibility and authority to the secretary of commerce to serve as the principal official to manage all aspects of IP protection.
- Strengthen the International Trade Commission’s 337 process to sequester goods containing stolen IP. This is the process the International Trade Commission (ITC) uses to impound imports suspected of containing or benefitting from IP theft based on probable cause.
- Empower the secretary of the treasury, on the recommendation of the secretary of commerce, to deny the use of the American banking system to foreign companies that repeatedly use or benefit from the theft of American IP.
- Increase Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) resources to investigate and prosecute cases of trade-secret theft, especially those enabled by cyber means.
- Consider the degree of protection afforded to American companies’ IP a criterion for approving major foreign investments in the United States under the Committee on Foreign Investment in the U.S. (CFIUS) process.
- Enforce strict supply-chain accountability for the U.S. government, establishing controls that enable suppliers to the U.S. government to guarantee the strongest IP-protection standards.
- Require the Securities and Exchange Commission (SEC) to judge whether companies’ use of stolen IP is a material condition that ought to be publicly reported in disclosure statements to boards and shareholders.
- Greatly expand the number of green cards available to foreign students who earn science, technology, engineering, and mathematics degrees in American universities and who have a job offer in their field upon graduation.
THE REPORT RECOMMENDATIONS (MEDIUM TERM)
- Amend the Economic Espionage Act (EEA) to provide a federal private right of action for trade-secret theft. If companies or individuals can sue for damages due to the theft of IP, especially trade secrets, this will both punish bad behavior and deter future theft.
- Make the Court of Appeals for the Federal Circuit (CAFC) the appellate court for all actions under the EEA.
- Instruct the Federal Trade Commission (FTC) to obtain meaningful sanctions against foreign companies using stolen IP.
- Strengthen American diplomatic priorities in the protection of American IP.
THE REPORT RECOMMENDATIONS (LONG TERM)
- Build institutions in priority countries that contribute toward a “rule of law” environment in ways that protect IP.
- Develop a program that encourages technological innovation to improve the ability to detect counterfeit goods. Prize competitions have proved to be both meaningful and cost-effective ways to rapidly develop and assess new technologies.
- Ensure that top U.S. officials from all agencies push to move China, in particular, beyond a policy of indigenous innovation toward becoming a self-innovating economy.
- Establish in the private, nonprofit sector an assessment or rating system of levels of IP legal protection, beginning in China but extending to other countries as well.
THE REPORT RECOMMENDATIONS (CYBERSECURITY-SPECIFIC)
- Implement prudent vulnerability-mitigation measures, activities such as network surveillance, sequestering of critical information, and the use of redundant firewalls are proven and effective vulnerability-mitigation measures.
- Support American companies and technology that can both identify and recover IP stolen through cyber means, without damaging the intruder’s own network.
- Reconcile necessary changes in the law with a changing technical environment, such that both technology and law is developed to implement a range of more aggressive measures “cyber offensive” that retrieve stolen IP or damage the systems of hackers.
WHAT DO YOU THINK ABOUT THE THEFT OF IP AND WHAT SHOULD BE DONE ABOUT IT? LET US KNOW IN THE COMMENTS SECTION BELOW!