To protect American business secrets from being plundered by Chinese government hackers, the U.S. government may have to punish China's economy, says Michael Hayden, former director of both the Central Intelligence Agency and the National Security Agency.
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) on Tuesday published a draft cybersecurity framework including tips for companies to secure their networks against hackers. Companies can make public comments on the draft framework for 45 days before NIST issues a final version in February 2014.
Government working with businesses on network security is only part of the solution to stop Chinese hackers, Hayden says. Governments steal each other's secrets all the time, Hayden says, but China's government-sponsored hackers cross the line by targeting businesses, which should be treated as civilian targets and off-limits by government intelligence agencies.
"I've conducted espionage. I went after state secrets and I actually think we are pretty good at it," Hayden says. "Where I object is where you have state power being used against private enterprise for commercial purposes."
America's intelligence agencies exercise restraint by only accessing foreign secrets to ensure national security, while China and some other countries use their intelligence agencies to target U.S. businesses for profit of its own business leaders, Hayden says. China has denied it is engaged in state-sponsored hacking of U.S. commercial sites.
"That's a very uneven playing field," Hayden says. "I'm offended by state espionage for industrial advantage."
The Obama administration condemned Chinese government hackers' thefts from U.S. businesses in March, when Tom Donilon, national security adviser to the Obama administration, said in a speech "the international community cannot afford to tolerate such activity from any country," and that China's intelligence agencies should "establish acceptable norms of behavior."
Since the Chinese government uses its hackers for economic gain then the U.S. should punish the Chinese economy rather than simply negotiating an espionage treaty, Hayden says. China already made agreements with the World Intellectual Property Organization and the World Trade Organization promising that it would not steal the intellectual property of foreign businesses.
The U.S. government could impose punitive costs on China related to licenses for Chinese businesses operating in the U.S., such as who gets visas and access to American higher education, Hayden says.
"Our two economies are interdependent, and it's false for us to assume that we don't have tools of persuasion," Hayden says. "My sense is that you don't fix this in the cyber lane, other than defending yourself better, you don't fix this in the espionage lane, you fix this in the broader relationship."
Corporate espionage is already a problem businesses face, but China should view government support of commercial espionage as "a foul by international standards," says Tim Pawlenty, CEO of Financial Services Roundtable advocacy group.
"We need to use our influence as a country to convince China that if they want to be a respected global citizen and government, they need to follow some basic rules of the road, written or unwritten," says Pawlenty, a former presidential candidate and former governor of Minnesota.
Hacking a government contractor to determine the growth of U.S. airpower is a more legitimate example of espionage, as opposed to stealing designs for a commercial airliner and giving the designs to a China-based business, Hayden clarifies.
The Department of Defense partners with the Department of Homeland Security (DHS) on a cybersecurity information sharing program that includes government and private sector companies and contractors that work on U.S. military technology and components. This program, called the Defense Industrial Base, is a good start but more steps are needed from NIST and other agencies to defend U.S. business secrets, says James Lewis, a cybersecurity analyst at the Center for Strategic and international Studies think tank.
The design for Chinese military drones "look a little familiar," and indicates that the Chinese have been stealing U.S. military secrets including designs for the Predator drone, Lewis says.
"Their stealth fighter probably is based on U.S. technology, and some of their submarine technology is based on U.S. technology," Lewis adds.
The NIST framework "gets the substance right," but the final version should be shorter and more and more simplified in how it presents recommendations to protect networks,
The next step to build on the advice of the framework is for NIST to do a handoff to somebody like the Department of Homeland Security (DHS) to have them encourage companies to accept best practices, Lewis says. That could in turn lead Congress to address how and whether the government could require companies to implement basic safety measures for networks.
"It's really easy to break into the networks of these companies," Lewis says. "We need some light touch governance like seat belts for the Internet. Car companies resisted adding seat belts until they were forced to by federal regulation."