Chinese hackers have redefined the concept of room service: In one recent attack, they infiltrated an Internet service provider to some of the world’s leading hotels, potentially gaining access to millions of confidential messages of traveling executives, as well as to the victims’ corporate networks.
The electronic theft of proprietary information from U.S. companies has reached the level of grand larceny on a national scale. One declassified government estimate put the value of information stolen in the last year — everything from blueprints to merger plans — at almost $500 billion. In October, breaking with diplomatic niceties, the Office of the National Counterintelligence Executive characterized “Chinese actors”as “the world’s most active and persistent perpetrators of economic espionage.”
The distinction represents a success of sorts: In 1986, China launched a project — program 863— that included the use of clandestine means to close the gap with the West in areas such as nanotechnology, biotech and computers. Since then, the opportunities for progress have multiplied. Expanding commercial and scientific links between the U.S. and China have created a target-rich environment. The spread of portable devices and pooled data processing and storage has made it harder to protect corporate secrets.
Fact of Life
Of course, industrial espionage has been a fixture of the economic landscape for centuries. Americans have a rich history of pilfering ideas from abroad, beginning with the theft of spinning and weaving technology from the British. So one proper response to today’s techno-thieves — be they Chinese, Russian, French, German or Israeli — is for American companies to embrace the threat as a fact of life and step up their own vigilance, especially when their executives travel overseas.
But there are other things that can be done to safeguard the fruits of the roughly $400 billion that U.S. corporations, the federal government, universities and nonprofit organizations spend on research and development each year. For starters, the Obama administration could put a stop to the low-grade turf war between the National Security Agency and the Department ofHomeland Security over the protection of civilian networks. The latter, as a civilian agency, is better positioned to take the lead, with the NSA in a supporting role. The government could also give Howard Schmidt, the White House cyber-security coordinator, more authority and resources to do his job.
Government and private corporations need to do more sharing of information about cyber-espionage attacks. In 2010, Google Inc. (GOOG) made news when it publicly identified China as the home base of an effort to crack its source codes. All too often, however, companies resist disclosing such incidents because they worry about bad publicity, liability issues or Chinese retaliation. Representative Mike J. Rogers, a Michigan Republican who is chairman of thePermanent Select Committee on Intelligence, has proposed legislation allowing the government to share threat information with private industry, and to encourage companies to reciprocate on a voluntary basis. That’s good, but it will do little unless private companies and officials inWashington develop a habit of following up on such information.
Finally, we need to treat the threat of Chinese cyber- espionage, real as it is, in a sober, nuanced manner. Sometimes, U.S. cyber warriors talk of China in language that sounds like it comes from an old Fu Manchu movie. China isn’t a monolith: the Ministry of Foreign Affairs, the Ministry of State Security and the People’s Liberation Army — not to mention an army of rogue hackers — all behave very differently.
Many Chinese recognize that China and the U.S. share a common interest in ensuring the protection of intellectual property, that foreign companies will not continue to invest in a country that is stealing their crown jewels, and that China stands to lose from undermining an economy in which it has invested hundreds of billions of dollars.
To contact the Bloomberg View editorial board: firstname.lastname@example.org.