Fighting China’s Military a Daily Task for US Companies

Economic espionage is the dirty underbelly of globalization. Nation-states—particularly China—steal intellectual property from U.S. companies at an extraordinary pace. And they don’t just use computer hacking to do so: insider spies plant hidden audio devices in light switches, or retrofit smoke detectors with audio and video feeds.

The idea that businesses need to fend off attacks from heavily equipped nation-states makes it “An unfair game … not a balanced fight,” said Michael Oberlaender, the principal security strategist Cisco Systems in the United States.

The focus has thus shifted from outright prevention to mitigation. The joke that’s often told to portray this concept is of two men camping in the woods, one sleeps with his shoes on in case he “needs to run from a bear.” His friend tells him he can’t outrun a bear. He looks at his friend and says, “I don’t need to outrun the bear. I just need to outrun you.”

While cyberespionage is becoming more prominent, “there are also cases where they’ll infiltrate your company with internal spies,” said Oberlaender in a telephone interview from his home in Texas. Oberlaender is also the former chief security officer of German telecom Kabel Deutschland.

Raising the Costs

The tough reality is that no matter the precautions in place, not all attacks can be stopped—even for some of the most critical services. According to a 2012 survey of 172 critical infrastructure organizations by the Ponemon Institute and Bloomberg, companies would have to double their Internet Technology (IT) security spending from $5.3 billion to stop just 84 percent of attacks.

“You don’t have the resources that a nation-state has,” Oberlaender said. He said his focus is on raising the bar as high as possible, so it becomes a numbers game for any would-be attackers. They then need to decide whether his company is worth the time and effort, or if it makes more sense just finding another target.

He said that most of the cyberattacks he has seen were traced back to Chinese, Russian, and Eastern European Internet protocol (IP) addresses.

Due to the opaque nature of cyberattacks—one of its key advantages for espionage—it is nearly impossible to find definite proof of an attack’s origin.

Cybersecurity company Mandiant, however, was able to trace attacks back to the Chinese military’s Unit 61398. The discovery was a double-edged sword. On one side, it gave the U.S. government a strong resource to call out the Chinese regime for its campaigns of economic espionage. On the other side, the prospect for companies of facing a foreign military rather than just a well-organized group of hackers only painted a grimmer picture.

Large companies are required by law to report security breaches when they occur, and U.S. federal agencies also help alert them of attacks. The U.S. Secret Service was also assigned through the 2001 Patriot Act to reach out to companies and help secure their networks.

Deterring China

There are proposals, however, for more direct solutions to stop China’s state-run campaigns of economic espionage.

The U.S.–China Economic and Security Review Commission gave several proposals in its 2013 report to Congress. They range from banning imports from Chinese companies with products made from stolen U.S. intellectual property, to preventing offending companies from using U.S. banks, to making it easier for U.S. companies to file international lawsuits against China.

Other proposals take a more militaristic route. One would allow businesses to “conduct offensive cyber operations in retaliation against intrusions into their networks,” which range from taking back what was stolen to “physically disabling or destroying the hacker’s own computer or network.”

There are also supporters of legalizing counter-cyberattacks. Oberlaender said he finds the idea frightening. “It doesn’t bring you any positive business at the end of the day,” he said. “You don’t become a burglar just because you got robbed. Leave the attack response to those agencies that have the resources for that.”