Inside the U.S.'s Ridiculous Plan to Make Sure "Made in China" Doesn't Mean "Stolen From America"
The U.S. and China have a very strained relationship when it comes to the protection of intellectual property, namely trade secrets and patents. U.S. companies pour countless dollars into research and development and often outsource some of the products to be cheaply manufactured abroad, for example, in Chinese factories. There are numerous ways that the foreign counterfeiters acquire the secrets behind American companies, but most egregiously, the Chinese workers at our foreign factory will simply construct an identical factory across the street, producing almost identical goods and stealing all the research that went into them. Other methods include hacking into corporate mainframes, simple online pirating of software (aka, downloading torrents), espionage, and reverse engineering. Behind the rhetoric of calling it "theft" is an assumption that our ideas have and deserve legal ownership, which has been challenged heavily in recent years by the open source community, among other groups.
A team of leaders in the U.S. came together in a report to propose changes to US policy to prevent China's acquisition of U.S. IP. The Commission on the Theft of American Intellectual Property includes Jon Huntsman (Utah governor), the CEO of Intel, the former Commander in Chief of the U.S. Pacific Command, and others of similar stature. They decided to take a shotgun to kill a fly. Essentially, their report takes the approach that the U.S. should do whatever it takes to verify that every idea (trade secret, patent, or copyright) is authentic, suggesting tactics from authorizing offensive cyberattacks to nation-building. However, when they attempted to show that the foreign theft of our ideas is a real and substantial threat worthy of extreme measures, their data was arbitrary ($300 billion in losses, but the report disclaimed that statistic is very difficult to measure), speculative (quoting studies that include theoretical sales in the cost of theft), and questionable (how could anyone measure that China's illegal software market is $9 billion?). The report suggests we should engage in the following to thwart China from piggybacking on our research:
Offensive Cyberattacks by Corporations:
There's increasing pressure from corporations to allow them to take offensive actions against hackers. Currently, they can only legally defend themselves by, for example, shutting down their systems to prevent on ongoing attack and hiring a professional to find the security breach. They currently are not allowed take offensive actions like hacking into the hacker's computer and "photographing the hacker using his own system’s camera, implanting malware in the hacker's network, or even physically disabling or destroying the hacker's own computer or network." Thus, in the event they are being hacked, they are limited to finding the security hole and fixing it, which can be far more time consuming than finding the intruder and stopping an ongoing breach.
The report hesitantly stops shy of endorsing a change in law to allow companies to launch retaliatory cyberattacks against hackers. It justly points to the potential for misuse in giving corporations weapons and the difficulty of correctly identifying a hacker. While the report states that the collateral damage is too dangerous today, "In the future, if the loss of IP continues at current levels, these measures ought to be considered: Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves." Opening this door in any way would create a whirlwind of destruction by transforming the private sector and international marketplace into a literal digital warzone.
Without caveats, the report still suggests something almost as heinous. It suggests companies should use quasi-attack methods as employed by "ransomware." Ransomware locks your computer and requires payment to the hacker or other third party before you can use your computer again. The report suggests companies should write software that does the exact same thing if it detects unauthorized data on that computer. "For example, the file could be rendered inaccessible and the unauthorized user's computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account." This is still arguably a cyberattack and blatantly encourages corporations to adopt their methods from those who commit online fraud against consumers. The report, again is stopping a mere hair away from out rightly endorsing the legalization of corporate cyberattacks.
Police China and Build Their Country:
The report suggests getting heavily involved with building China's laws and infrastructure. They seek to "push to move China, in particular, beyond a policy of indigenous innovation toward becoming a self-innovating economy." This is beginning to sound like a digital version of the U.S. invasion of Iraq, except China is a leading world power and has a well-functioning government. In the case of China, our involvement lacks the pretense of changing infrastructure to save a struggling country or bring stability to a war-torn region.
"Currently, there is a range of efforts, both public and private, that contributes (sic) to the development of rule of law in China and other foreign countries that do not protect intellectual property." This is misleading. The Chinese government does protect intellectual property and fairly well. As IAM magazine points out, "What the report does not seem to uncover is any widespread refusal of the Chinese authorities to enforce U.S.-owned patents in the country; nor does it discuss cases where patents have been applied for and unreasonably refused. That may be because neither is a common occurrence ... Put simply, you can't steal something that doesn't exist. If a patent has not been filed in China, anyone using the technology that it underpins in the country cannot be considered an infringer, let alone a thief. "
The Commission's report names several inappropriate agencies and actors that should begin enforcing U.S. law in China. For example, they suggest that the Federal Trade Commission, a U.S. consumer protection agency, should begin enforcing actions against the theft of ideas from China and its citizens. China would not be thrilled, and it's hard to imagine that the U.S. domestic agency would be effective in navigating international diplomacy, cultural differences, and differences in laws.
After meddling in China, the Commission even anticipates rewards for its work. It suggests that we should also create organizations that will give gold stars to the U.S.'s successful development of China. Specifically, it encourages the recognition by private entities to identify and praise IP "centers of excellence," or areas where the U.S. has successfully implanted strong enforcement its IP system.
Take Their People and Hopefully, Their Peoples' Loyalty:
The report also calls for increasing green cards and visas to be opened up to STEM (science, technology, engineering, and math) students in the U.S. According to a Brookings Institution study, less than a third of students who study here qualify for green cards after they graduate. The report suggests we should make it easier for STEM students to obtain permanent residence here. The idea is that we should have the smart people which are capable of hacking and espionage on this side of the border so we can keep watch on them. This tactic assumes that the students want more from the U.S. than a mere education — that they would want to willingly live here after they finish school.
The effectiveness of such a policy is questionable . It's well known in the privacy world that the biggest cause of security breaches are insiders (i.e., employees), not outsiders. Disloyalty and carelessness are much bigger threats to innovation than hacking or outsiders breaking security measures. "To be sure, some of the foreign students who would remain in the United States under the terms of this arrangement would be subject to pressure or inducements from home countries and companies to commit IP theft while working for a U.S. company. There have been multiple cases of the FBI prosecuting green card holders." We have to wonder if putting the same people you distrust in your company will be effective in preventing leaks of information.
In sum, the theft of intellectual property is often the company's fault and has nothing to do with hacking or China. As stated, studies have shown that internal mistakes are far greater cause of a company's loss of trade secrets and research than hacking. IAM magazine suggests that much of the loss of international protection for innovations are from missing the deadlines for filing foreign patents or similar technicalities. Lastly, when you decide to put your factory in China to save a few bucks, you willingly take the risk that they'll steal your ideas. The fact that businesses make mistakes or are sloppy in protecting their confidential information doesn't justify a rebuilding of China's infrastructure and giving corporations the ability to launch offensive cyberattacks.
Unfortunately, this report carries a lot of clout. It drastically exaggerates the harms and calls for the most drastic measures imaginable to prevent a hypothetical hack into a corporation's secret files, presenting China like a holder of digital weapons of mass destruction. Even if cyberattacks were the main cause for other countries stealing our best ideas, where there is a cyberattack, the least of my worries is that a Pfizer unwillingly gives up its pharmaceutical research or a foreign competitor gets access to some specialized software. I'd be worried about the water supply, power grid, police data centers, military systems, and financial systems — not some lost research.