The big news in the security segment this week is the newly-formed agreement that President Barack Obama has struck with Chinese President Xi Jinping. With a backdrop of U.S. threats to launch counter-attacks, the two leaders agreed to refrain from state-sponsored cyberattacks against each other that attempt to steal trade secrets or competitive business information. Sounds pretty good on the surface, but as it is with any complex agreement, you have to evaluate the implications of the deal before rendering judgement. In the following I’ll share my thoughts.
Closing the Barn Door too Late
In the U.S., we have a popular idiom that goes something like this, why close the barn door after the horse has bolted. I’m not sure how that would translate into Chinese, but here’s how it translates into lost dollars. A 2013 report published by The Commission for the Theft of American Intellectual Property estimated that annual losses from IP theft over the internet totaled in excess of $300 Billion annually, which is roughly the total amount we exported to Asia in 2012. The report also estimates that China is responsible for roughly 70% of these losses. We are talking about trillions of dollars already lost. It makes one wonder how much is left to steal and, more importantly, where is the discussion about making us whole for these losses?
Who is Attacking?
James Clapper, Director of National Intelligence, stated that he is not optimistic that the agreement with China will effectively deter state-sponsored cyberattacks on businesses. One can envision where it will be quite easy for China to continue to target U.S. businesses at arm’s length by having future attacks appear not to be state-sponsored. On top of this, you have the grim reality that for most cyberattacks, we simply do not know where they originated or who is responsible.
Economic Sanctions as a Weapon
The stated deterrent is economic sanctions, which the U.S. has used effectively in the past, but success with this approach has relied on forming a coalition among a larger group of countries. When a single country imposes economic sanctions unilaterally, it becomes a more difficult task as the trading partner intended for punishment can many times find alternative outlets and sources for the impacted goods. Current weaknesses in the Chinese economy will also contribute to significant reluctance for the U.S. to impose damaging sanctions that could trigger a broader global economic decline.
U.S. businesses may understandably not feel any safer after the agreement than they did before. The basic tenet in the field of security is to invest in protection in relation to the value of the assets being protected. The U.S. is under-investing in security as evidenced by the continuing breaches and losses suffered. Stopping foreign hackers starts with basic security measures such as two-factor authentication and data encryption. At the same time, U.S.-based enterprises should expect more protection from their government, but it will need to be a partnership where businesses increase their investment in security and the government initiates more effective means of deterring attacks on American targets such as implementing more menacing counter-attacks and preemptive strikes on would-be foreign hackers.