RSA 2015: Panelists debate a way forward for matters of cyber conflict
Panelists discussed cyber espionage and intellectual property theft affecting U.S. companies and steps the private and public sector must take to curb the threat.
A cyber policy and foreign relations expert shared that, in order to truly curb intellectual property (IP) theft by cyber attackers in China, it will take more than government action. Adam Segal, senior fellow for China studies and director of the digital and cyberspace policy program at the Council on Foreign Relations, explained that, in order to make an immediate impact, the private sector will have to seriously consider its business interactions with the country.
Segal was one of three panelists at an RSA Conference session on policy issues and conflict in cyberspace. The session, called “Cyber Battlefield: The Future of Conflict,” convened Wednesday morning at the Moscone Center in San Francisco.
“The Chinese passed a huge of amount of IP laws, but just don't implement them all the time,” Segal said. “We haven't made a huge amount of progress on that front, and we're never going to make progess until U.S. companies say, ‘We've had enough.'”
He added later that, while Chamber of Commerce surveys present IP theft by China as an “annoyance” to businesses, companies have also shown they are “going to continue to do business in China.”
Panelists Jason Healey, director of the cyber statecraft initiative for the Atlantic Council, and Martin Libicki, senior scientist at RAND, also shared their opinions on addressing cyberespionage and hacking threats from abroad, when taking action can have a rippling impact on international affairs.
Dmitri Alperovitch, co-founder and chief technical officer at CrowdStrike, served as the moderator for the panel.
During the discussion, Alperovitch shared that an inhibiting factor for companies wanting to thwart attacks overseas is that the U.S. intelligence community can be hesitant to disclose indicators of compromise (IOCs) to the private sector during ongoing investigations if it has yet to analyze malware used in sophisticated or destructive attacks, for instance.
“The government believes that any time they share this [threat] information they'll lose visibility, and they'd rather keep watching than actually help the private sector,” he said.
Jason Healey told the crowd of attendees, however, to take note of recent policy decisions, where the White House has taken significant action that might help businesses.
In April 2014, for instance, The New York Times reported on President Obama's decision that the NSA must disclose “major” security flaws, including zero-day vulnerabilities, to vendors, unless doing so would inhibit “a clear national security or law enforcement need,” senior administration officials told the Times.
Moving forward, Healey also advised security pracitioners not to get caught up in the back and forth of the attack game, so to speak.
“We think the game is about the hacking, [when] the game is actually about prosperity and innovation, and making sure our grandkids are going to have an internet that drives innovation – and jobs 50 years from now, or 100 years from now,” Healey said.