This guest blog is contributed by David Locke Hall, keynote speaker at SmartFlow’s upcoming November 2, 2016 Anti-Piracy Summit. Hall is the author of CRACK99: The Takedown of a $100M Chinese Software Pirate, an electrifying story of the takedown of a $100 million Chinese software pirate.
In June of 2011, after several years operating a sting operation as a federal prosecutor, I arrested Xiang Li, a Chinese cyber pirate who had been operating a website called CRACK99 from Chengdu, China. On that website were thousands of software products – mostly U.S. origin – being offered for sale for pennies on the dollar. These were not retail software products for ordinary mortals like me. They were mostly engineering programs used in advanced industrial applications including aviation, space, design automation, measurement and control, CAD/CAM, and communications. Many of the applications were military. The value of what was offered on CRACK99 was over $1 billion. The value of what Xiang Li himself sold via CRACK99 was over $100 million.
As the IP Commission found in 2013 with regard to Chinese cyber piracy: “National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice.” The case of China is particularly stark: the Chinese government, including the People’s Liberation Army, systematically steals data not only from the U.S. government, but from private commercial actors in the U.S.
The consequences of this sustained state-sponsored activity are significant. You are surely aware of the multiple hacks of government agencies, including OPM’s security clearance database. That is one of the great espionage achievements in history. All the personal data of U.S. intelligence officers, including me, is now in the hands of a foreign adversary. Moreover, Chinese hackers have reportedly stolen radar software for the $1.4 trillion F-35 stealth joint strike fighter, a fifth-generation tactical fighter still in the testing phase, employing the most advanced U.S. stealth technology. These thefts call into question the ability of the F-35 to remain stealthy in a future conflict with China. Our military advantage results from two factors: superior training and superior technology. Each is a force multiplier. If we lose our technology, we lose our edge.
What is the government doing about this? Unfortunately, the answer is, not much.
We are finally winding down a contentious political season. Many words have been uttered at a high volume. But cybersecurity? Not really discussed in this presidential election cycle. We debate whether or not ISIS is an existential threat. Cyber-attacks really are. And yet, neither candidate has a strategy for dealing with the problem, which suggests the future president won’t have one.
And neither does Congress. Congress took only eight years to produce the Cybersecurity Act of 2015, which permits voluntary sharing of cyber threat information. I’m all for that. But really? That’s it?
I think it is a mistake to wait for the government to come to the rescue. I think the government is way behind the private sector in terms of recognizing the problem and formulating a solution. But I do hope the government can do better. For example, I hope federal law enforcement will get more involved in protecting technology transfer. I hope we get more aggressive in terms of using Cybercom and Tenth Fleet to achieve national objectives. I hope we get more aggressive about using diplomacy to establish international norms and pressure cyber outsiders like China.
But whether that happens or not, the government will never drop a magic curtain that protects your IP. Even if the government steps up its game, it will be up to you to protect yourselves. I believe we can do it. I believe we have to do it.
I’m seeing companies getting more aggressive about protecting IP. When we did the CRACK99 case, I found that many companies viewed cyber loss as a foregone conclusion. It’s just an unfortunate fact of life, like a rainy day. But I think companies with real IP to protect are realizing they need to be proactive to protect their property. A cease and desist letter isn’t enough. When IP is stolen, it is not a foregone conclusion that it will stay that way. There are remedies under U.S. law and they can be applied in many cases to foreign actors. Not always. But it’s worth considering and I see more companies doing that, as opposed to rolling over on the belief that there is no hope.