TROY — The government of China is dedicating its military and intelligence apparatus to stealing intellectual property from American companies and using that know-how to sell products, the chairman of the House Intelligence Committee told an Automation Alley event Monday.
Other nations are also involved in intellectual property theft, and there’s also growing plain old garden-variety cybercrime by criminal gangs, U.S. Rep. Mike Rogers, R-Brighton, told about 70 people attending “Cybersecurity and Industrial Espionage: Assisting Global Threats and Managing Risk.”
“We are at war, cyberwar, and most Americans don’t know it,” Rogers said. “We have gone from the Cold War to the code war.”
Rogers acknowledged that the United States spies on other nations, and has done so since George Washington sent Nathan Hale to spy on the British.
“But what has never happened is a nation-state using its military and intelligence operations, dedicating it to stealing intellectual property, putting that property to use, making products and putting them out into the international markets,” Rogers said. “It is happening at a breathtaking pace … If you are a company with intellectual property, no matter how small, if you are a three-person shop, you are of interest to the Chinese. It is unbelievable how bad this is, and how few people know about it.”
Rogers said there are “two kinds of companies in the U.S., companies that have been hacked and know it, and companies that have been hacked and don’t know it.”
Rogers said that beyond intellectual property theft, there is also the threat of cyber-terrorism from nations like Iran, who lack the rationality of adversaries who are only trying to beat us economically.
Facing the reality of the threat of cybertheft of intellectual property is the first step to protecting ourselves from it.
Rogers argued for his Cyber Intelligence Sharing and Protection Act, which passed the House but stalled in the U.S. Senate last year. The bill would allow information sharing on cybersecurity with private companies. Backers argue that it’s necessary to protect the U.S. against cyber attacks; opponents argue that it would allow companies to easily hand over users’ private information to the government.
Rogers emphasized “good cyber-hygiene,” being careful about introducing “foreign media” into corporate networks, and watching out for attacs by social engineering and social media.
Other speakers at the event stressed the use of specialized software and intrusion testing to measure the strength of corporate and organization networks against cyberespionage.
FBI agent Chris A. Bartolo said threats range from foreign travel to company visitors to social engineering to phishing. Insiders can pose the biggest threats, and suspicious activities to note in insiders inlude having work habits that didn’t coincide with productivity, living beyond one’s means in cars, houses or travel, and asking questions about projects unrelated to their actual work.
Bartolo said companies need to be cautious about letting foreign visitors inspect their operations, citing one example of a visitor scooping up metal shavings off a plant floor to determine what metal alloy was used in a part. And employees should be careful not to reveal too much on social media.
Bartolo said companies should use “sterile” laptops and phones for travel, and use full-disk encryption. Only required files should be on the computer, and only limited contacts on the phones.
FBI supervisory special agent Tom Winterhalter showed a hair-raising video of a visiting executive’s Chinese hotel room — equipped with a spy camera by the executive — that showed four Chinese entering the room to steal data off the executive’s computer and phone.
Also presenting were cybersecurity software and services providers — Richard Thompson, solutions consultant at Guidance Software of Pasadena, Calif., Adam Gosslin, COO of High Bit Securityin Rochester, and Gregory P. Guidice, president and CEO of RazorThreat Inc. in Pontiac.
Gossllin presented several case studies of clients who were frighteningly open to intrusion, including a hospital where a hacker could have had access to everything from patient records to doctors’ identification for prescribing narcotics.
Guidice advised compliance testing, intrusion and penetration testing, vulnerability scanning, and patch management systems. Consistent policies and the purchase of “cyber insurance” are also good ideas, he said. Those strategies are aimed at keeping the bad guys out. There are also steps to keep more data from leaking.