Aggressive Options Considered to Counter Chinese Hacking

By Gary Feuerberg
Gary Feuerberg
Gary Feuerberg
June 30, 2013 Updated: December 15, 2013

WASHINGTON—The frustration was profound in the hearing room on Capitol Hill at what to do about the rampant cyber thefts committed by China. The economic costs are staggering and damages to national security huge. 

On June 25, the Congressional-Executive Commission on China (CECC) heard expert testimony on the impact of Chinese cyber-attacks and cyber espionage on American owned businesses and industries and how the problem is getting worse with no apparent solution available. Are more aggressive measures called for to raise the stakes for the Intellectual Property (IP) thieves? Possible actions of a more forceful nature for fighting back were raised for consideration.

Main Culprit: China

Former Senator Slade Gorton (R-Wash.) testified on the findings of the Commission on the Theft of American Intellectual Property or “IP Commission,” which issued its report in May. Former Director of National Intelligence Dennis Blair and former Ambassador to China Jon Huntsmen are co-chairs of this prestigious commission. Gorton, who is a member as well, said that while the exact figure is unknowable, annual American IP losses overseas are estimated conservatively to be over $300 billion, which is comparable to the current annual level of U.S. exports to Asia. 

The IP Commission estimated that China’s share of international IP theft lies between 50 to 80 percent, which again is a conservative estimate, Gorton said. One study by the U.S. International Trade Commission suggested that “if China had the same level of IP protection as the United States or the UK, there would be an increase of 2.2 million new jobs within the United States,” said Gorton in his written testimony.

Stealing trade secrets is one major way that intellectual property rights are violated through cyber espionage across oceans as exemplified by the Shanghai-based People’s Liberation Army (PLA) Unit 61398, working out of a building in Shanghai that was identified as the source of many cyber-attacks, stealing hundreds of terabytes of data from at least 141 companies, spanning 20 major industries, according to evidence uncovered by the security firm Mandiant in a report released in February 2013. Senator Sherrod Brown (D-Ohio), CECC Chair said at the hearing that 115 of the companies were based in the United States.

However, Gorton cautioned the Committee not to underestimate traditional industrial and economic espionage. He referred to the arrest in May of two researchers from China (the third researcher charged had left for China before an arrest could be made) working at New York University’s Langone Medical Center, for allegedly receiving bribes from a Chinese medical imaging company and a Chinese state-supported research entity for transmitting research in MRI technology. 

The IP Commission states, “National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice.” 

The scale and scope of the cyber hacking “seriously call into question China’s commitment to the rule of law,” said Sen. Brown.

Aggressive Measures

Sen. Carl Levin (D-Mich.) introduced his bill S.884, “Deter Cyber Theft Act,” co-sponsored with Republicans Sens. John McCain (Ariz.) and Tom Coburn (Okla.), and Democrat Jay Rockefeller (W. Va.) as a tool for Americans “to fight back.” He explained his bill would require the president to block certain imports linked to IP theft. If the president determines that action is warranted, to enforce Intellectual Property Rights (IPR) or to protect the Department of Defense supply chain, then “Goods made with U.S. technology or proprietary information stolen in cyberspace” would be blocked.

This approach would shift the focus in dealing with countries designated as the worse cyber thieves from leveling charges and hearing their denials of cyber espionage to taking punitive action where it hurts—“in the pocketbook,” said Levin. 

Gorten said that the IP commission made recommendations at the end of the report that were more radical, which it wasn’t ready to formally recommend now, but said they ought to be considered. One of these ideas is to allow counterattacks which are prohibited by law. The IP Commission report says, “If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft.” 

Because of the “questions of collateral damage caused by computer attacks,” the IP Commission wasn’t ready to endorse this recommendation until more research has been done.

Dr. James Mulvenon, who is director of the Center for Intelligence Research and Analysis, Defense Group, said that the above has already begun despite the legal uncertainties. “We are seeing certain companies that are advertising as part of their service that they will engage in aggressive measures or even hack back on behalf of companies in the absence of the U.S. government doing anything to help them.” 

Mulvenon said the 1986 Computer Fraud and Abuse Act is outdated and needs to be revised. Companies are looking to the U.S. Congress (and Department of Justice) to get clarification on where the legal boundaries are with respect to hack back and similar aggressive measures, he said. 

Mulvenon said that he has been promoting the idea of identifying companies and large civilian universities in China that are known for supplying the tools and personnel for cyber espionage and putting them on the denied entries list from the Commerce Department. Those on the list would be denied visas to the United States, such as professors and graduate students. He said this would create a constituency within China that “all of a sudden now is feeling the pain of actions that they are not profiting from, and will create basically a constituency within China that will begin to say, ‘OK, this is no consequence free activity for us anymore.’”

Plausible Deniability

Innovation is one of the drivers of the U.S. economy and productivity growth. The fact that IP theft acts as a disincentive was mentioned often at the hearing. “Better protection of IP would encourage significantly more R&D investment and economic growth,” says the IP Commission’s report.

Mulvenon said that in the 2005-6 timeframe, the P.R.C. decided it didn’t want its future to be only assembling other people’s products, but wanted to make its own. So it came up with the campaign of “indigenous innovation,” establishing “national champions.” However, “state-driven innovation is an oxymoron,” with no chance of success, said Mulvenon. It’s only recourse then was to steal other people’s innovations, he said.

In his written testimony, Mulvenon said that Chinese “intrusions” are known in the cyber community for being “incredibly sloppy,” and sometimes leave attribution evidence. He suggests that they may not even care so long as they can make a claim of “plausible deniability.”

Congressman Chris Smith (R-N.J.), CECC Cochair, said at the hearing that his Human Rights Subcommittee computers were attacked in 2006 and again in 2007 by a virus that IT professionals said came from the P.R.C. The attackers hacked into files related to China and the names of Chinese dissidents. Smith said however that this discovery didn’t “absolutely prove that Beijing was behind the attack,” proving that though the denial is a fig leaf, it’s all that China regards as necessary coverage.