China Hackers In Your Business Data? You Can (Almost) Fight Back

The recent U.S. bans on Chinese technology companies (by adding them to the U.S. Export Administration’s Entity List) are not new but are a continuation of ongoing concerns with Chinese government deficiencies. This is the same Chinese government that requires Chinese organizations “support, cooperate with and collaborate in national intelligence work,” accelerating China’s great technological leap forward by appropriating trade secrets and technology from other companies and governments. The U.S. government and U.S. companies are rightly concerned and have been for decades. Several Chinese companies (generally in the aerospace industry) and Russian companies (the nuclear industry) have been on the Entity List since its inception in 1997, back when many of us were using Netscape Navigator on our 28.8Kbps or 33.6Kbps modems and could only access broadband internet (and our favorite search engine Lycos) at our local universities. 1997 was four years before China’s accession to the WTO.

Stealing secrets was much harder two decades ago. Fast forward to 2008 when experts expressed concern that China’s cyber intrusions were becoming “more frequent, more targeted, and more sophisticated.” Today, with broadband internet, telecommunications companies like Huawei have the potential to embed software and hardware laced with malware at virtually every internet node and in virtually every IOT device. The U.S. does not want to cripple Chinese technology advancements “just because” the U.S. is an economic bully, though that is the Chinese government’s internal refrain. The USTR’s Section 301 complaint focuses on China’s unfair trade practices and overt actions that lay the groundwork for Chinese companies to acquire, force the transfer of, or steal trade secrets, including IP, customers’ personal data, and valuable technological data. As we discussed in a previous blog post about China’s own cybersecurity law, China recognizes the value of its data, requiring all CII (Critical Information Infrastructure) Operators to keep within mainland China all personal information and important data collected and generated within mainland China. They are not allowed to transmit such data overseas without first passing a security review.

U.S. companies affected by cybercrime, of which China has been identified by security experts as “the world’s most active and persistent perpetrators of economic espionage,” do not have many avenues to cope with these advanced persistent threats. Depending on the information accessed and stolen as a result of the systems breach, companies will generally be concerned with: (1) damage control (assuaging their valuable customer base either that nothing sensitive was compromised or that “it will never happen again”), (2) how to prevent getting hacked again (enhancing their network and security defenses), and (3) how to mitigate the company’s damages in the marketplace from stolen trade secrets being used by their rising Chinese competitors (preserving company value moving forward, which is extremely important to stockholders). Chinese hackers seek high value technological information, which means that whatever information is of value to the U.S. company will be valuable to a similar Chinese company in the same industry.

The U.S. is not idly standing by but recently targeted five Chinese supercomputer companies by adding them to the Entity List, which companies joined the ranks of four other Chinese supercomputer companies included in 2015. The U.S. government is also increasing its offensive cyber warfare on Iran, China, and others, and the Chinese hackers, at least, are fighting back, and they are persistent. What recourse do U.S. companies have in the face of so much relentless aggression, which is sometimes a daily occurrence? They can report the intrusion and theft to U.S. state and federal law enforcement agencies, who may not have the time, resources, or inclination to pursue the hack (only 165 cases of computer fraud were pursued by the DOJ in 2017 and only 160 in 2018). Or maybe they can receive a battlefield commission and join the ranks of the deputized in the global cyber conflict.

Recently U.S. Representative Graves of Georgia proposed H.R. 3270, the Active Cyber Defense Certainty Act, aimed at providing a defense to prosecution for fraud and related activities that are engaged in for defensive measures against unauthorized intrusions into company information networks. In brief, the bill would protect defensive hackers from prosecution in the U.S. if they follow certain guidelines. First, they must report the crime to law enforcement, specifically the FBI National Cyber Investigative Joint Task Force, and receive the green light to move forward with defensive measures (either obtaining prospective approval or approval to deploy defensive measures after being hacked). The FBI may provide additional guidance on improving those defensive measures. Second, they should improve their system’s defensive measures, including receiving enhanced training, utilizing strong passwords, and routinely updating and patching computer systems. Third, defenders are admonished to not violate the laws of any other nation where the attacker’s computer may reside. This severely limits what a defender can do, but the operative word in the proposed legislation is “defense,” not “offense.” Fourth, cyber defense techniques should only be employed by qualified defenders with a high degree of confidence in attribution, and extreme caution should be taken to not impact intermediate computers (that are the foundation of all sophisticated cyber attacks), escalate the cyber activity, or cause collateral damage (e.g. physical injury, financial loss, or threaten public health or safety, including affecting U.S. government computers). Attributional technology is permitted to help identify the attacker, but measures that allow the defender to hack back in an offensive manner to cripple the attacker’s entire system are not authorized (but the defender can disrupt continued offensive hacking that affects their own systems).

Defenders will still be able to seek civil remedies (compensatory damages and injunctive relief) if they resort to these defensive measures. Active cyber defense measures will not need to be conducted solely through in-house cybersecurity expertise but rather can be undertaken “at the direction of” an authorized defender. This means that the ranks of cybersecurity firms may swell in the future with would-be defensive hackers and that the rest of us may want to invest in the stock of trusted and credible U.S. cybersecurity firms. These threats from China, North Korea, Iran, Russia, and elsewhere will continue to increase, not decrease.

There is, perhaps, one shade of a silver lining. China has been stealing commercial secrets for decades to the detriment of U.S. businesses. But for all of its efforts, China has yet to develop much in the robust domestic industries on the backs of these stolen technologies. That is because having the plans in hand is not the same as having the deep expertise that created the plan (see China’s Copycat Airforce). When will China have the capability (and willpower) to fully replicate what the U.S. has in R&D strength?

In the meantime, it is still crucial to evaluate and enhance your network security and train (and retrain) anyone with access to your network.