June 13, 2017 | Senate Foreign Relations Committee, Subcommittee on East Asia, the Pacific, and International Cybersecurity

State-Sponsored Cyberspace Threats: Recent Incidents and U.S. Policy Response

Download the full testimony here. 

Both traditional economic warfare and, more recently, cyber warfare have been extensively studied. What is much less understood, however, is the intersection between these two subjects: The contemporary evolution of economic warfare within the new realities of cyberspace has not received the focused, comprehensive scrutiny and policy attention that it warrants. The questions we must be asking and answering are: Within the escalating cyber attacks on U.S. public and private organizations, is there lurking a new type of action – some form of concerted adversarial strategy – to undermine the U.S. economically? Are some adversaries’ strategies designed to cause economic harm that would weaken or significantly debilitate U.S. security capabilities? To what extent, and when, are they sponsoring proxies to achieve these nefarious goals? Is the U.S. prepared to identify and address such hostile strategies effectively? Does the U.S. government need new collection and analysis platforms to perform this critical function?

It is my contention that the threats are real, the warfare is ongoing, and that the U.S. government is inadequately structured to properly and comprehensively detect, evaluate, and address cyber-enabled economic threats. The U.S. government has made great strides in organizing itself to protect and defend the .gov and .mil realms.[1] But our nation’s greatest vulnerability may lie with adversarial attacks on the U.S. private sector. And in this regard, the private sector believes it is on its own, a position that is untenable when the adversary is a state actor such as China or North Korea.

Background of the Evolving Battlespace

As we think through our ability as a nation to protect ourselves and our allies, and advance our core interests overseas, the greatest strength we have is our economy. It is our free market, with its ability to efficiently move capital, protect intellectual property, distribute goods, and provide the running room for new ideas and technology to flourish, that creates the most powerful and fearsome military the world has ever known. It is the confidence of the American people that our $18.5-trillion GDP will continue to thrive that provides our leaders the confidence to fund our defense budget. And it is not just the defense industrial base but the broader national security industrial base that underpins it all. Specifically, it is not just the big defense contractors and the big telecommunication companies but everything from the technology startups; to the banks and investment houses that supply capital; to the cars, trucks, trains, and planes that move men and materiel; to the pharmaceuticals and food supplies that care and feed those who protect the free world. Moreover, an April report from the Defense Science Board Task Force on the Cyber Supply Chain warned that the Pentagon can be crippled through maliciously inserted vulnerabilities into the weapons and goods that power the U.S. military through entry points in private sector companies.[2]

It is true that the business of America is business. And the business of America is at risk of being hollowed out from the inside by everything from theft of intellectual property to the malicious infection of the supply chain to the degradation of confidence in our commerce, banking, and transportation sectors. The papers are filled with articles about cyber attacks against the private sector to gain profit. No doubt, this is a serious and growing problem. British insurance company Lloyds estimated that cyber attacks cost global businesses as much as $400 billion per year.[3] The internet and its related networked systems provide overwhelming advantages that help an economy to learn, share, and grow, but as we increase our reliance on the electronic movement of data, money, goods, and services, we also increase our vulnerability.[4]

What the $400 billion amount, large as it seems, ignores is the corrosive effect cyber attacks against the private sector can have on a country’s military readiness or political sovereignty. The theft of defense-related intellectual property and the corruption of the defense supply chain has been widely reported, and the possible damage these hostile actions could inflict upon our weapons systems has raised alarms throughout the Pentagon and on Capitol Hill.[5] The more pernicious, and less recognized, effect is the degrading of the entrepreneurial motivation that occurs with the systematic and wholesale theft of intellectual property from its creators and owners. As a result of sustained cyber attacks, startups may not get financing because their IP is stolen and established companies may be forced to shut down for days because of malware incidents, projects may get cancelled, and people may get laid off. And it is the small- and medium-sized enterprises – the very companies where the most innovative work is being done that eventually finds its way into our military – that are often hit hardest by cyber attacks.[6] A 2012 U.S. Patent and Trademark Office report aptly summed it up this way: “Every job in some way produces, supplies, consumes, or relies on innovation, creativity, and commercial distinctiveness. Protecting our ideas and intellectual property (IP) promotes innovative, open, and competitive markets.”[7] With estimates of the annual costs of trade secret theft in the U.S. ranging from $180 billion to $540 billion, the long-tailed drag on the economy must be recognized for the crisis it is, with a disproportionate burden falling on the very startups and innovation leaders that the U.S. and other developed nations credit with building the future economy, enhancing military readiness, and safeguarding sovereignty.[8] As the U.S. government better develops systems to cooperate with and defend the private sector, protecting these types of startups and innovative companies should be a priority given the disproportionate role they play in determining future national power.

The very well-researched IP Commission Report from the National Bureau of Asian Research discusses at length the follow-on effects from IP theft, including advantaging our adversaries both in the market and on the battlefield as well as chilling the innovative spirit that creates the technological breakthroughs upon which our economy and military rely.[9] Therefore, it is not the pure cyber criminal that should keep this committee up at night. Rather, it is the hostile state actor who recognizes that while it may not be able to compete directly with America’s strength of arms, it holds a significant asymmetric advantage in attacking our economic wherewithal and, by so doing, weaken us militarily or politically.

We call this purposeful strategy Cyber-Enabled Economic Warfare (CEEW).

[1] Vicki Michetti, “DoD’s Defense Industrial Base Cybersecurity (DIB CS) Program,” U.S. Department of Defense, August 24, 2016. (https://www.fbcinc.com/e/cybertexas/presentations/Room_302_Wed_1-145PM_Vicki_Michetti_DIB_101_Cyber_Texas_Aug15.pdf)

[2] U.S. Department of Defense, Defense Science Board, “Cyber Supply Chain,” April 2017. (http://www.acq.osd.mil/dsb/reports/2010s/DSBCyberSupplyChain_ExecSummary_Distribution_A.PDF)

[3] Stephen Gandel, “Lloyd’s CEO: Cyber attacks cost companies $400 billion every year,” Fortune, January 23, 2015. (http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/)

[4] Steve Morgan, “IBM's CEO On Hackers: ‘Cyber Crime Is The Greatest Threat To Every Company In The World,’” Forbes, November 24, 2015. (https://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/#1db8a3473f07)

[5] Ellen Nakashima, “Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies,” The Washington Post, May 27, 2013. (https://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html?utm_term=.afe441d46dc3)

[6] According to the 2012 Verizon Breach report, 71 percent of companies with less than 100 employees have suffered a cyber attack. “2012 Data Breach Investigations Report,” Verizon, 2012, page 11. (http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf)

[7] “Economics and Statistics Administration and U.S. Patent and Trademark Office, “Intellectual Property and the U.S. Economy: Industries in Focus,” March 2012. (https://www.uspto.gov/sites/default/files/news/publications/IP_Report_March_2012.pdf)

[8] “Update to the IP Commission Report: the Theft of American Intellectual Property: Reassessments of the Challenge and United States Policy,” National Bureau of Asian Research on behalf of the Commission on the Theft of American Intellectual Property, 2017. (http://www.ipcommission.org/report/IP_Commission_Report_Update_2017.pdf); “Economic Impact of Trade Secret Theft: A Framework for Companies to Safeguard Trade Secrets and Mitigate Potential Threats,” Center for Responsible Enterprise and Trade and PricewaterhouseCoopers, 2014. (https://create.org/resource/economic-impact-oftrade-secret-theft)

[9] “Update to the IP Commission Report: the Theft of American Intellectual Property: Reassessments of the Challenge and United States Policy,” National Bureau of Asian Research on behalf of the Commission on the Theft of American Intellectual Property, 2017. (http://www.ipcommission.org/report/IP_Commission_Report_Update_2017.pdf