Fighting cyber espionage, legally
Instead of trying to tackle foreign governments or hack-proof their own systems, Americans could use the force of the law to neuter cyber espionage by eliminating much of the incentive to hack.
Attorney and former Department of Homeland Security official Stewart Baker argues that a digital rule of law could be surprisingly effective.
Attorney and former Department of Homeland Security official Stewart Baker thinks so. The world might be friendlier to a digital rule of law than is commonly supposed, Baker asserted at a Dec. 4 breakfast sponsored by the American Bar Association. He pointed to Chinese President Xi Jinping's willingness to agree to international cyber accords and anti-hacking crackdowns within the People's Liberation Army as recent examples
Instead of going after the Chinese government, American companies and agencies could instead look to foreign firms.
"[Suing the Chinese government] is probably not your best bet anyway because the Chinese government will just, you know, stay offshore and thumb its nose at you," Baker said. "You're trying to dry up the market for cyber espionage rather than stop the cyber espionage directly, which is, that's what deterrence is all about."
Lawsuits, in other words, could help kill the cyber espionage market.
Baker said the Computer Fraud and Abuse Act, the Uniform Trade Secrets Act and Section 337 of the Smoot-Hawley Tariff Act all contain provisions related to stolen trade secrets that American firms could use to block foreign goods from the American marketplace.
Foreign firms are interested in stolen intellectual property so they can sell goods based on it, Baker noted. If they can't sell those goods in the world's biggest economy, they'll be a lot less keen on IP theft.
"These are potentially enormously valuable tools in the hands of the private sector," Baker said, predicting a major goods-blocking lawsuit from an American company against a foreign firm within the next five years.
The feds have a role to play, too, he said, calling on intelligence agencies to help scout foreign networks for stolen data. Targeted sanctions through the Office of Foreign Asset Control at Treasury also can help punish and dissuade hackers, Baker added.
What of the problems of attribution, and the threat of retaliation?
We have "remarkable" attribution capabilities by this point, Baker said, echoing the claims of those peeved in the private sector who want a more aggressive hack-back approach.
Retaliation, at least as concerns China, may not be a serious threat, he noted, as President Xi is "selling out" Chinese hackers in the interest of cementing internal control and assuaging world concerns.
Earlier this month, China claimed to have arrested the hackers responsible for the Office of Personnel Management breach, an intrusion Americans long suspected was state-sponsored, but which the Chinese government is now blaming on criminals.
Baker asserted that, all things considered, robust international legal action is the preferred way forward on cyber threats. The current de facto cyber defense model, emphasizing protecting networks rather than punishing and dis-incentivizing hackers, runs counter to the very principles of the law and civilized society, he noted.
It's as if the world was a town plagued by muggers, he said, and instead of arresting the criminals, the town's police chief told pedestrians to wear body armor to protect themselves.
"That chief of police wouldn't last a day with a plan like that," Baker said.