Issue Date: July 8, 2013
Chemical Thieves And Spies
Chemical industry officials are urging the White House and Congress to modernize and fortify the nation’s digital defenses. They cite new research that says the rampant theft of all kinds of trade secrets from the U.S. by cyberattacks and more traditional methods has reached new heights and costs the economy more than $300 billion each year—the equivalent of all U.S. exports to Asia.
Chemical companies are among the victims. “Industrial espionage is a serious and omnipresent threat to U.S. manufacturing,” says Lawrence D. Sloan, chief executive officer of the Society of Chemical Manufacturers & Affiliates (SOCMA), a trade association. “If the U.S. is to realize a renaissance in manufacturing, it must address the theft of intellectual property (IP).”
Much of the thievery originates abroad. But a study released in late May by the Commission on the Theft of American Intellectual Property, a federal advisory panel, says the U.S. response so far—mostly browbeating foreign governments—has been “utterly inadequate” to deal with the growing problem.
“The scale of international theft of American intellectual property today, we believe, is unprecedented,” says former Utah Gov. Jon M. Huntsman Jr., cochair of the commission, whose members include former government officials and experts in security, technology, and IP law.
Under U.S. law, trade secrets comprise commercially valuable information not generally known to or readily ascertainable by the public. Typical examples include confidential formulas, manufacturing techniques, and customer lists. Recent victims of trade-secret theft in the chemistry world have included corporate giants such as Dow Chemical, DuPont, and Valspar, as well as less well-known companies.
Industry is playing defense when it comes to cyber crime, says David E. Kepler, Dow Chemical’s chief information officer. U.S. laws should be updated and strengthened to protect critical infrastructure from cyberattacks, he says. And cyber criminals must be held accountable “for stealing IP and personal information for financial gain.”
“You’ve got to have leverage in the game,” agrees Huntsman, who served as U.S. ambassador to China from 2009 through 2011. “IP theft needs to have consequences with costs sufficiently high that state and corporate behavior and attitudes that support such theft are fundamentally changed.”
Beyond the economic losses, the theft commission says heisting industrial secrets costs America millions of jobs, discourages investment in research and development, and risks stifling future innovation.
China accounts for between 50 and 80% of the stealing, according to the commission’s report, which cites Russia and India as other problem countries. A core component of China’s successful growth strategy, the report notes, is acquiring science and technology.
“National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice,” it says. Chinese officials have consistently denied U.S. charges of cyber espionage.
The commission, which has shared its findings with lawmakers and the Obama Administration, recommends that the Treasury Department be allowed to block foreign companies that repeatedly steal IP from using the U.S. banking system, effectively locking them out of the U.S. market.
Similarly, the Securities & Exchange Commission and other agencies that decide whether foreign companies may invest in the U.S. or be listed on U.S. stock exchanges should examine the firms’ IP theft records as part of their reviews, the report says.
“We are trying to force foreign companies to choose between access to the U.S. market and stealing American intellectual property,” says Dennis C. Blair, commission cochairman and former director of national intelligence for President Barack Obama. “You can’t have both.”
Congress is working on legislation to enhance U.S. cybersecurity but is running up against privacy fears and concerns from business about excessive regulation. Meanwhile, the President has signed an executive order that calls on federal agencies to provide companies with more useful and timely information about cyber threats, while ensuring privacy and civil liberties safeguards.
The executive order also directs the National Institute of Standards & Technology (NIST) to work with industry to create a set of voluntary cybersecurity best practices and standards for companies that own or operate “critical infrastructure,” including chemical plants, electric grids, and water systems. The agency, which is part of the Department of Commerce, is required to produce a final version by February 2014.
“We know foreign countries and companies swipe our corporate secrets,” Obama remarked in announcing the order on Feb. 12. The directive, he said, “will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs, and our privacy.”
The Administration’s efforts will not result in onerous new regulations for the private sector, says NIST Director Patrick D. Gallagher. The cybersecurity framework “will draw on standards and best practices that industry already develops and uses” to protect their systems, Gallagher told the Senate Appropriations Committee last month.
In fact, Obama’s order complements existing industry security programs and builds on the regulatory requirements already in place for the chemical sector, says William J. Erny, senior director of security policy at the American Chemistry Council (ACC), a trade group representing major U.S. chemical manufacturers.
Unlike legislation, the order cannot grant agencies any new powers to regulate cybersecurity, Erny notes. But it does address the need to improve the flow of information between the government and the private sector on cyber threats. “The sharing of accurate, timely, and actionable threat information is critical to creating a successful partnership to counter cyberattacks,” he remarks.
Erny says the chemical industry is encouraged by the work NIST is doing to develop a framework that promotes greater communication. “That’s a massive undertaking. Cybersecurity cuts across all of the different critical infrastructures,” he tells C&EN. “That’s one reason ACC has advocated for a flexible approach on cybersecurity standards. Any attempt to put specific standards in place that will try to use a one-size-fits-all approach would be very shortsighted.”
The Administration has acknowledged, however, that there are limits to what can be accomplished through executive action and is watching congressional efforts to fill in the gaps. Only legislation can create incentives for companies to share threat information with the federal government and remove barriers for companies to share information about potential cyberattacks among themselves.
On April 18, the House passed the Cyber Intelligence Sharing & Protection Act (H.R. 624) by a vote of 288-127, despite a White House veto threat over privacy concerns. The legislation is cosponsored by Rep. Mike Rogers (R-Mich.), chairman of the House of Representatives Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger of Maryland, the top Democrat on the panel.
Chemical manufacturers and a broad spectrum of industry groups say the measure is needed to protect against malicious hackers who seek to destroy their computer networks or hijack proprietary information.
Under the legislation, businesses would be given immunity from privacy lawsuits when they voluntarily share cyber-threat information with the government. Companies would be exempt from antitrust laws when they exchange information with each other. And the bill would allow federal agencies to share classified intelligence data about emerging cyber threats with industry.
“One of the challenges is to find a better way to more broadly share important information across this broad range of operations and businesses,” Erny points out. To do that, Congress has to “figure out a way to declassify more information.” The House-approved bill “would do a really good job in helping to forge a better pathway for us to more effectively share information,” he says.
However, the Obama Administration charges that the legislation trades away too much privacy in the name of security. H.R. 624 “does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” the White House says in a policy statement. “Citizens have a right to know that corporations will be held accountable—and not granted immunity—for failing to safeguard personal information adequately.”
The Senate plans to draft its own cybersecurity proposal later this summer. Rogers predicts that if a bill passes in both houses of Congress, Obama will sign it despite White House concerns. “Anyone who has looked at this threat at all knows we have to get legislation signed into law as soon as possible to protect our networks and our economy at large,” he says.
- Chemical & Engineering News
- ISSN 0009-2347
- Copyright © American Chemical Society