The ubiquity and economic damage from cyberattacks is a well-worn subject. But a House hearing Tuesday revealed little consensus among lawmakers and cybersecurity experts on the proper path forward.
The House Energy and Commerce Committee oversight subcommittee convened to discuss how Congress and federal agencies can best address ongoing intellectual property theft. But depending on who was talking Tuesday, China either can or cannot change its proclivity for cybertheft; the commerce secretary should or should not be tasked with implementing policies to protect IP; the U.S. economy is or is not losing $300 billion annually to IP theft; and the information leaked by Edward Snowden will or will not hurt U.S. discussions with China.
The debate went on long enough that one of the panelists, former Sen. Slade Gorton, R-Wash., had to excuse himself to make another meeting.
Gorton, currently a member of the Commission on the Theft of American Intellectual Property, proffered the $300 billion estimate, adding the country was also losing 2.2 million jobs as a result of IP theft.
“Just imagine what [having those jobs] would do for us all by itself,” he said.
Susan Offutt, chief economist of applied research and methods at the Government Accountability Office, questioned the findings. It cannot be assumed, she argued, that intellectual property theft hits each industry equally. The $300 billion assessment pegs lost revenue across each industry at 6 percent.
“There’s certainly no way to look across all the diverse sectors of the economy and suggest that the theft is characterized in any particular way that would be common to all of those,” she said. “So the estimate that has gained currency in this discussion is in our view not credible.”
But IP theft is happening. And China is behind much of it — anywhere from half to two thirds of the $300 billion, Gorton said. It’s embedded in the Chinese culture and part of the country’s economic development plan, according to James Lewis, director of the Center for Strategic and International Studies. China’s desire to lift others intellectual property comes from a desire to surpass the West, yes, but also a fear its society has lost its ability to innovate and slowing growth could pose a challenge to the ruling party’s power.
“In the U.S., military espionage is heroic and economic espionage is a crime,” Lewis said. “But in China, the line is not so clear.”
Which doesn’t have to be the case forever.
“One of the things we can do is make the line a little clearer to them,” Lewis said. “They know they’re caught.” If the U.S. presses the issue for several years, “you can get [the Chinese] to change their behavior,” he added, citing his positive nonproliferation discussions with China in the 1990s.
Not so, said Larry Wortzel, commissioner of the U.S.-China Economic and Security Review Commission.
“They will steal and reverse-engineer anything they can get their hands on,” he said. “If we were to establish rules of the road for how we were going to respect the transfer of property over the Internet, how are we going to do this with a country where their understandings of freedom are so basically different from ours?”
Regardless, the U.S. does need to establish cybersecurity standards, the panelists said. The National Institute of Standards and Technology just released the first draft of a framework all businesses can follow to assess their cyberrisks, and the House passed the Cyber Intelligence Sharing and Protection Act in recent months. But both Democrats and Republicans on the committee criticized CISPA for its toothlessness.
“This is a flawed bill that relies on a purely voluntary approach,” said Rep. Henry Waxman, D-Calif., adding it also does not sufficiently protect personal information.
And the NIST framework is a start, but still a list of suggestions, not mandates.
Which is why Australia might be the model to follow, Lewis said. After Chinese hackers compromised the email accounts of nearly the entire government, the Australian intelligence agency developed 35 strategies (steps as simple as reducing the number of people with administrator privileges — “It’s pretty basic stuff,” Lewis said) and mandated all agencies implement them.
“The Australians told me it was an 85 percent reduction in successful cyberattacks,” Lewis said. “I said I don’t believe it. So they let me go and talk to some of the magistrates that tried it. They told me 85 percent is wrong. It’s actually higher.”
Rep. Michael Burgess, R-Texas, interrupted him: “Are you at liberty to share these [strategies]?”
“I’ll definitely pass it along,” Lewis said.
Gorton suggested these policies could be implemented by the commerce secretary, as the Commerce Department reports to that House Committee.
“Commerce has sufficient human, budget, and investigative resources to address the full range of IP-protection issues,” he said, adding the agency could also be charged with seizing imported products developed using stolen patents.
But other panelists said the White House remains the best to implement new policies. Wortzel even suggested the president declare IP cybertheft “an extraordinary threat to national security,” which would give the White House enhanced executive authority.
And so the debate continues.