Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict, and competition on Twitter at @Jason_Healey.
Finally the Obama administration has come into the open in their calls against other nations' stealing of trade secrets, especially through cyberespionage. The just-released "Administration Strategy on Mitigating the Theft of US Trade Secrets" is the next in a promised string of new cyber policies and actions from a newly invigorated White House. Like the previously released cyber executive order, this new strategy is a good next step, much in line with my recent recommendations, but will need energy and follow through on the details. Bolder solutions will eventually be needed as the problems are as old as cyberspace.
The United States has suffered large-scale cyber espionage at least as far back as 1986, when German hackers rampaged through national labs, defense contractors, and military bases for more military-related information to sell to the KGB. In 1995, counterintelligence report to Congress said that "[c]omputer intrusions, telecommunications targeting and intercept, and private sector encryption weaknesses … account for the largest portion of economic and industrial information lost by US corporations."
Within 10 years, media reports were discussing the high tempo of Chinese espionage cases, though it took four private sector efforts to bring the details to light. In 2010, Google changed the way the world saw Chinese espionage by going public, crowdsourcing their response after they were deeply penetrated by cyberspies. The InfoWarMonitor revelation on GhostNet and the Shady Rat and Night Dragon exposés by Dmitri Alperovitch, now an Atlantic Council senior fellow, gave significant insight. The latest is from Mandiant, which took the technical groundwork of the past efforts and pinned the responsibility directly onto a specific Chinese military unit. This is "naming and shaming" of the guilty parties at its best, possibly influencing the White House decision to release their relevant strategy this week .
Many critics have dismissed the new strategy as lacking details or any new actions. While these are valid criticisms, they overlook the most important fact: Finally, after at least a decade, a U.S. administration is becoming more public about the problem and proposed solutions. This is a sea change in U.S. thinking and needs to be heralded and seized upon. Just early this week, the debate was focused on getting the administration do to something; now that can shift to whether they are the right things or go far enough. Inside the Beltway, the importance of such a change cannot be overlooked.
The White House will have a harder time convincing critics that this isn't more of the same, when the strategy uses the word "continue" over 20 times (as in, the "Administration will continue to apply sustained and coordinated diplomatic pressure on other countries to discourage trade secret theft.") The strategy leaves out specifics actions that might be taken against specific Chinese transgressors.
The next step for the White House should be to twofold.
First, the administration must strengthen its position by releasing a compilation of specific examples of both Chinese intrusions and where pilfered U.S. information has been used by foreign companies, either for competitive advantage or directly in products. The current strategy only includes examples of successful prosecutions of the theft of trade secrets which is not enough on its own.
Second, the White House should issue a new executive order with implementing actions, including the details which are missing from the strategy.
For example, a new executive order could get away from the generalities of the strategy to specifics, such as, "The U.S. government will impose counteracting duties if it finds companies using technologies derived from those stolen from U.S. companies or from our allies," or, "The U.S. government will refuse the right of entry for any executive of an organization found to be engaged in trade espionage, either directly or tangibly enjoying the fruits of stolen U.S. information."
An executive order should emphasis naming and shaming, which deserves a central role. It should in fact be a goal to treat trade secrets like bribery, an international wrong. The United States and like-minded nations should therefore vilify any company or executive that accepts stolen information, from whatever source, a point made recently by Alperovitch. Don't grant visas to their executives and families and pursue criminal cases against them, through Interpol if needed. Blacklist their company from government contracts or don't even allow their company's imports into any like-minded nation.
After years, the U.S. policy community can debate these ideas openly, without concerns of classification issues. Just three years ago the three words "Chinese," "cyber" and "espionage" could not even be strung together inside the Beltway, for fear of disclosing classified information. This new strategy marks an important step forward to normalizing this as an issue and has finally broken the ice on new, hopefully successful, solutions.