Yesterday the Office of the National Counterintelligence Executive of the DNI released a Report entitled Foreign Spies Stealing US Economic Secrets in Cyberspace. The Report explained in general terms what the government has long said: U.S. economic secrets are being stolen in very large quantities through cyber-exploitations. The report noted that “Chinese actors” and “Russia’s intelligence services” are the primary culprits. Again, this is not news to anyone who follows cyberseceurity, but it was portrayed as a big deal in the press because the U.S. government openly singled out the Chinese and the Russians as the main threat. The report also noted “[o]ther countries with closer ties to the United States have conducted [computer network exploitations] and other forms of intelligence collection to obtain US economic and technology data, often taking advantage of the access they enjoy as allies or partners to collect sensitive military data and information on programs.”
The big question is what the U.S. is doing about economic cyberespionage. If one focuses on what is known publicly, the answer would appear to be “not much.” I am sure that naming the Chinese and Russians specifically and openly was a big deal inside the government. The Wall Street Journal reports that a “senior intelligence official said it was necessary to single out specific countries in order to confront the problem and attempt contain a threat that has gotten out of control.” Perhaps so, but naming names alone will not accomplish much. For one thing, the U.S. government has presented no public evidence on Chinese and Russian cyberespionage, and those countries generally deny it. (Chinese Embassy spokesman Wang Baodang said yesterday, in response to the DNI Report, that China opposes “any form of unlawful cyberspace activities.”) For another, Cyberespionage does not violate international law. For yet another, the United States itself, while it does not engage in broad-ranging industrial or economic espionage, does do so on a limited scale. As I wrote a few months ago:
I believe (but do not know) that the official policy of the U.S. government remains the one articulated in the 1996 Aspin-Brown Report: U.S. intelligence agencies do not collect “proprietary information of foreign commercial firms to benefit private firms in the United States,” but they do “identify situations abroad where U.S. commercial firms are being placed at a competitive disadvantage as a result of unscrupulous actions, e.g. bribery and ‘kickbacks.’” Former CIA Director James Woolsey said in 2000 that the United States “steal[s] secrets with espionage, with communications, with reconnaissance satellites” from “foreign corporations and foreign government’s assistance to them in the economic area,” for three reasons: (1) to understand how sanctions regimes are operating; (2) to monitor dangerous dual-use technologies in private hands; and (3) to learn about bribery practices. Presumably the United States also gathers intelligence from foreign private defense and intelligence firms.
In light of these factors, it is hard for me to understand what naming names is supposed to accomplish, especially since the Chinese and Russian hand in industrial espionage is widely known. The Report offers "best practices" suggestions for how firms can better defend themselves but says nothing about what steps the United States might take to stop these economically damaging cyber-exploitations. Unless the United States imposes concrete and painful measures on the adversaries and allies who steal our valuable secrets, I see no reason at all why these adversaries and allies will not go on stealing us blind, as they have been now for a long time.