President Barack Obama must take tougher actions than those specified so far to deter cyber attacks on vital computer networks, including freezing offenders’ assets or denying them entry into the U.S., cybersecurity experts said.
Obama’s administration yesterday pledged to share more intelligence with companies about nations involved in economic espionage and methods used to steal corporate information, and to study the need for stronger U.S. laws against trade-secret theft. That came after Obama issued an executive order Feb. 12 to develop voluntary cybersecurity standards for companies operating power grids, telecommunication networks and banks.
Neither move would impose fines or penalties, and the executive order doesn’t require standards to be developed for a year. Obama’s administration announced its trade-secret strategy a day after computer-security firm Mandiant Corp. said the Chinese army is probably the source of hacking attacks against at least 141 companies since 2006.
“We’ve reached a point where we need to have some teeth to our response,” Adam Segal, senior fellow for China studies at the Council on Foreign Relations, said in a phone interview yesterday. “We can’t go around saying that this is the largest transfer of wealth in U.S. history and then just continue on the same course of action.”
U.S. counterintelligence officials in 2011 called China the world’s biggest perpetrator of economic espionage, saying cyber theft is jeopardizing an estimated $398 billion in U.S. research spending.
The U.S. government punishes companies, other governments and individuals for smuggling drugs or trafficking in conflict diamonds, Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, said in a phone interview yesterday. The government could deter cyber attacks or trade-secret theft by some of the same means, he said.
Those would include denying individuals or companies that perpetrate hacking or benefit from cyber attacks the right to operate in the U.S., said Baker, a partner at the Washington law firm Steptoe & Johnson LLP.
The House Intelligence Committee last year urged U.S. telecommunications companies not to do business with Chinese network-equipment makers Huawei Technologies Co. and ZTE Corp., saying they could be conduits for the Chinese government to install malicious hardware or software in U.S. networks.
“There are a lot of ways to raise the price of this kind of activity now that we know that the security of the attackers is no better than the security of the people they are attacking,” Baker said, referring to the ability of Alexandria, Virginia-based Mandiant to trace hacking to a neighborhood that includes the headquarters of a Chinese military unit.
The administration could freeze cyber thieves’ funds in U.S. banks or seize their property, Baker said.
In announcing the trade-secret strategy yesterday, administration officials said it was aimed at more than computer-based theft. They said the pace of economic espionage is accelerating through recruitment of current and former employees of companies, as well as cyber intrusions against U.S. businesses, law firms, universities and financial institutions.
“A hacker in China can acquire source code from a software company in Virginia without leaving his or her desk,” Attorney General Eric Holder said. “With a few keystrokes, a terminated or simply unhappy employee from a defense contractor can misappropriate designs, processes and formulas worth billions of dollars.”
Obama issued his cybersecurity order after Congress failed last year to pass a bill to better defend critical computer networks. U.S. Senate Republicans including Arizona Senator John McCain have joined the U.S. Chamber of Commerce in opposing legislation they say could lead to new cybersecurity regulations on companies.
U.S. Representatives Mike Rogers, a Michigan Republican, and C.A. “Dutch” Ruppersberger, a Maryland Democrat, reintroduced a proposal Feb. 13 to give legal protection for companies that share cyber threat information with each other and the government.
The bill passed the House last April and failed to advance in the Senate after Obama threatened a veto, saying the measure didn’t go far enough to boost defenses and failed to protect privacy of consumer data.
Obama’s executive order directs regulatory agencies to require the companies they oversee to meet mandatory cybersecurity standards, which will help improve security for those businesses, said James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Companies might feel pressure to improve their digital defenses once the standards are developed next year, he said.
Still, the standards are voluntary, and nothing in the executive order will help deter cyber attacks on U.S. critical networks in the near future, Lewis said in a telephone interview yesterday.
The Obama administration could deny U.S. visas to the commanders of the Chinese military unit named in the Mandiant report, Lewis said.
A spokesman for China’s Foreign Ministry, Hong Lei, denied any military involvement in cyber attacks and said his department has been a victim of them.
Lewis called for a progression of steps to engage China, with fines and penalties when other options fail.
“Don’t go to the hard options until you’ve exhausted some of the other options,” he said. “Let them know it’s coming, though.”
The Obama administration should also work with international organizations like the North Atlantic Treaty Organization on preventing cyber espionage, David Fidler, a law professor and cybersecurity scholar at Indiana University, said in a phone interview yesterday.
“What China is going to worry about is the United States pushing a diplomatic initiative on a global scale,” he said. “We need to begin changing attitudes and pressure. The smart way to do it is a strategic initiative across multiple forums.”