At the moment, hacking is top of mind for the American public, and companies are spending more on security than ever before. But has the problem gotten any better? Not quite.
Last year the number of cyberespionage incidents confirmed by Verizon in its latest data breach investigations report increased to 548 from 511 the year prior. And even though research firm Gartner predicts that information security spending will grow this year to $76.9 billion from $71.1 billion a year ago—an 8.2% increase—the problem persists. State sponsored attackers continue to loot corporate networks for classified information, seeking commercial, military, and political advantage.
Type of data stolen through cyberespionage.Courtesy of Verizon
How has the U.S. handled this threat to its economic well-being? Back in Feb. 2013, President Barack Obama unveiled a plan to beat back cyberespionage.
“Trade secret theft threatens American businesses, undermines national security, and places the security of the U.S. economy in jeopardy,” the administration’s strategy document said. “These acts also diminish U.S. export prospects around the globe and put American jobs at risk.”
The plan laid out five ways the U.S. would counter industrial spying. They can be summed up as:
- Using diplomacy to discourage trade partners from stealing trade secrets
- Encouraging companies to share best practices around risk mitigation
- Making cyber intrusions a priority for law enforcement action
- Beefing up legal repercussions and protections
- Engaging the public and raising awareness
The country has, to be sure, made progress in some of these areas. A recent executive order imbued the Treasury with the power to sanction “individuals or entities that engage in significant malicious cyber-enabled activities.” Congress has upped maximum penalties and fines for individuals found guilty of any kind of economic espionage by tenfold to $5 million (and $10 million for organizations). And the Federal Bureau of Investigation has been aggressively pursuing economic snoops. “The agency reported a 60 percent increase in trade secret investigations from 2009 through 2013,” as the New York Times points out.
But even as the prosecutions under the Economic Espionage Act have increased, the Justice Department has had difficulty indicting people for online theft of trade secrets. “During the first nine months of [2014], the Justice Department reported 20 new prosecutions under the Economic Espionage Act — a 33 percent increase from 2013 — and several convictions,” writes Nicole Perlroth, “but only two of the indictments involved trade secrets theft via digital intrusions.”
The two cases comprise last year’s indictment of five Chinese nationals for hacking and stealing secrets from various businesses such as Westinghouse and U.S. Steel, and the August indictment of another Chinese national, Su Bin, for doing the same to defense contractors such as Boeing. The U.S. has had no authority to extradite the former from China, while the latter awaits extradition in Canada.
In its latest “301 report” on protecting intellectual property, the Office of the U.S. Trade Representative, which negotiates on trade agreements with foreign governments, places China atop its “priority watch list” alongside nine other countries. Some of the countries—Chile, China, India, Indonesia, Thailand, and Turkey—have remained on that list every year since the first report came out in 1989.
It’s clear that diplomacy—the administration’s priority numero uno for combating digital economic espionage, and the approach with the best chance at success given the U.S.’s lack of enforcement authority abroad—has not been very successful to date. Cyberespionage is still on the rise, and the same countries appear to be to blame.
It’s possible that the executive branch’s newly approved power to impose financial and travel sanctions on perpetrators may change the game. But that solution faces challenges, too. As Verizon’s report reveals, not knowing who’s behind a hacking remains a problem: “Two-thirds of the incidents in this pattern had no attacker-attribution information whatsoever,” the report says in the cyberespionage section. That’s a lot of whodunnit.
For the time being, diplomacy will likely remain the U.S.’s best option in combatting cyberspies. That said: Without the requisite muscle or confidence in attribution, it’s bound to continue to be ineffectual. States will just continue to evade and parry accusations of hacking.
“Conditions are likely to deteriorate,” the 301 report says, less than optimistically, “as long as those committing such thefts, and those benefitting, continue to operate with relative impunity.”