[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] ECONOMIC ESPIONAGE: A FOREIGN INTELLIGENCE THREAT TO AMERICAN JOBS AND HOMELAND SECURITY ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS SECOND SESSION __________ JUNE 28, 2012 __________ Serial No. 112-101 __________ Printed for the use of the Committee on Homeland Security [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 79-843PDF WASHINGTON : 2013 ______________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON HOMELAND SECURITY Peter T. King, New York, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Daniel E. Lungren, California Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Michael T. McCaul, Texas Henry Cuellar, Texas Gus M. Bilirakis, Florida Yvette D. Clarke, New York Paul C. Broun, Georgia Laura Richardson, California Candice S. Miller, Michigan Danny K. Davis, Illinois Tim Walberg, Michigan Brian Higgins, New York Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana Joe Walsh, Illinois Hansen Clarke, Michigan Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Ben Quayle, Arizona Kathleen C. Hochul, New York Scott Rigell, Virginia Janice Hahn, California Billy Long, Missouri Ron Barber, Arizona Jeff Duncan, South Carolina Tom Marino, Pennsylvania Blake Farenthold, Texas Robert L. Turner, New York Michael J. Russell, Staff Director/Chief Counsel Kerry Ann Watkins, Senior Policy Director Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE Patrick Meehan, Pennsylvania, Chairman Paul C. Broun, Georgia, Vice Chair Brian Higgins, New York Chip Cravaack, Minnesota Loretta Sanchez, California Joe Walsh, Illinois Kathleen C. Hochul, New York Ben Quayle, Arizona Janice Hahn, California Scott Rigell, Virginia Ron Barber, Arizona Billy Long, Missouri Bennie G. Thompson, Mississippi Peter T. King, New York (Ex (Ex Officio) Officio) Kevin Gundersen, Staff Director Zachary Harris, Subcommittee Clerk Hope Goins, Minority Subcommittee Director C O N T E N T S ---------- Page Statements The Honorable Billy Long, a Representative in Congress From the State of Missouri: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Brian Higgins, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Counterterrorism and Intelligence.............................. 5 Witnesses Mr. Stuart Graham, Chief Economist, U.S. Patent and Trademark Office, U.S. Department of Commerce: Oral Statement................................................. 8 Prepared Statement............................................. 9 Mr. John P. Woods, Assistant Director, Homeland Security Investigations, Immigration and Customs Enforcement, U.S. Department of Homeland Security: Oral Statement................................................. 12 Prepared Statement............................................. 14 Mr. C. Frank Figliuzzi, Assistant Director, Counterintelligence Division, Federal Bureau of Investigation, U.S. Department of Justice: Oral Statement................................................. 16 Prepared Statement............................................. 18 Mr. Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office: Oral Statement................................................. 19 Prepared Statement............................................. 21 ECONOMIC ESPIONAGE: A FOREIGN INTELLIGENCE THREAT TO AMERICAN JOBS AND HOMELAND SECURITY ---------- Thursday, June 28, 2012 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Counterterrorism and Intelligence, Washington, DC. The subcommittee met, pursuant to call, at 10:05 a.m., in Room 311, Cannon House Office Building, Hon. Billy Long presiding. Present: Representatives Long, Higgins, and Hochul. Mr. Long. The Committee on Homeland Subcommittee on Counterterrorism and Intelligence will come to order. The subcommittee is meeting today to hear testimony regarding economic espionage and its threat to American jobs and homeland security. As most of you know, Chairman Meehan is not at today's hearing. Unfortunately, an issue arose that he had to attend, and I will be chairing today's hearing. I recognize myself for an opening statement. The National unemployment rate currently stands at 8.2 percent, and our Nation faces economic headwinds. Over the last 2 years, we have examined many threats to the U.S. homeland. However, today's hearing provides an opportunity, a unique opportunity, for Members on the subcommittee to examine an issue that affects both National security and American competitiveness and job security. This is an issue that touches small and medium-sized businesses in Congressional districts all across America. Foreign economic and industrial espionage against the United States represents a significant and growing threat to the Nation's prosperity, American jobs, and National security. The primary strengths of the private sector in the United States are its tangible assets, including research and development, intellectual property, sophisticated business processes, and enforceable contracts. Unfortunately, those assets are being stolen by foreign intelligence services, corporations with close ties to foreign governments, and non-state actors. According to the U.S. Army General Keith Alexander, director of the National Security Agency and commander of U.S. Cyber Command, the United States currently finds itself the victim of the greatest transfer of wealth in history. Just this week, the director of the British's international security agency, MI5, told a London audience that it is investigating cyber attacks against more than a dozen companies, and added that one major London business has suffered more than $1.2 billion in losses from an attack. He called the extent of the espionage activity astonishing, with industrial-scale process, involving many thousands of people lying behind both state-sponsored cyber espionage and organized crime. This spring, FBI erected billboards at nine cities around the country to highlight the $13 billion in losses suffered by U.S. companies as a result of economic espionage in 2012 alone. While that number is staggering, my fear is that the $13 billion represents only the tip of the iceberg. Of even greater concern is finding out what lies beneath the surface. Due to a number of factors, which will be discussed today, the true size of this threat could be massively undervalued because this activity often goes unreported to law enforcement. Economic espionage can take many forms, including visits to a company's website to gather open-source information, and employees downloading proprietary information on a thumb drive at the behest of a foreign rival. Or intrusions launched by foreign intelligence service or other actors against the company's network of a private company, Federal agency, or individual. Unlike 20 years ago, business activity conducted over the internet provides opportunities for bad actors to infiltrate and steal vital data from the U.S. companies. Cyberspace also provides relatively small-scale actors an environment and opportunity to become big players in economic espionage. In addition, under-resourced governments or corporations often build relationships with hackers to steal sensitive economic or technological information just as national states have done for decades. In many ways, the threat posed by the economic espionage is similar to the threat posed by al-Qaeda and its affiliate networks, less centralized and more diffuse. And making it, often, more difficult to combat. Making this an even more complex problem, many bad actors often remain anonymous, and determining attribution of attacks is difficult for law enforcement in the intelligence community. Many actors route operations through computers in third countries, or physically operate from third-party countries to obscure the origins of a activity. Some foreign intelligence services and non-state actors have reportedly used independent hackers at times to augment their capabilities and act as proxies for intrusions in order to provide plausible deniability. Both China and Russia view economic espionage as an essential tool in statecraft to achieve stated National security and economic prosperity aims. It is critical Members of Congress and U.S. businesses understand that point; China and Russia have official government policies of stealing U.S. assets for economic gain. They target sensitive U.S. technology and economic data, private-sector companies, academic and research institutions, and U.S. citizens on a daily basis. According to the National Counterintelligence Executive, China and Russia will remain aggressive collectors of sensitive U.S. economic information and technology. Both countries will certainly continue to deploy significant resources and a wide variety of tactics to acquire this information, motivated by the desire to achieve economic, strategic, and military parity with the United States. Unfortunately, many private-sector victims of economic espionage are unaware of the crime until years after the loss of their information. In addition, many companies that are victims of espionage choose not to report the event to the FBI because it would negatively affect the company's reputation and endanger its relationship with investors, bankers, suppliers, customers, and shareholders. In many cases, it is difficult for companies to assign an economic value to stolen information, thereby decreasing their incentive to share information with law enforcement. A few examples I would like to point out that illustrate the challenge faced by the private sector. The AMSC Corporation, a Massachusetts-based maker of computer systems that run wind turbines, was victimized by its largest customer, China's C- Nobel Corporation. C-Nobel illegally obtained access to AMSC's proprietary source code through an AMSC employee who was paid to aid in the theft. C-Nobel, which accounted for two-thirds of AMSC's annual revenue of $315 million took AMSC's source code, began producing its own computers, and severed its relationship with AMSC. When this news was made public, AMSC's share price fell 40 percent in a single day. Over the course of 5 months it plunged 84 percent. One U.S. metals company lost technology to China's hackers that cost $1 billion and 20 years to develop. An employee of the Valspar Corporation unlawfully downloaded proprietary paint formulas valued at $20 million which he intended to take to a new job in China, according to press reports. This theft represented about one-eighth of Valspar's reported profits for 2009, the year the employee was arrested. Today's witness--let us see--to get to a better understanding of the problem, today we will hear from a panel of Government witnesses from the FBI, Immigration and Customs Enforcement, and the Department of Commerce about the nature and severity of the threat and its cost to the U.S. economy. We will also learn what the U.S. Government is doing to combat the threat, including its work with small and medium- sized businesses to prevent the loss of trade secrets and intellectual property. I look forward to hearing from today's witnesses on this important topic. [The statement of Hon. Long follows:] Statement of Hon. Billy Long June 28, 2012 national security and job security The National unemployment rate currently stands at 8.2% and our Nation faces tough economic headwinds. Over the last 2 years, we have examined many threats to the U.S. homeland. However, today's hearing provides a unique opportunity for Members of the subcommittee to examine an issue that affects both National security and American competitiveness and job security. This is an issue that touches small and medium-sized businesses in Congressional districts all across America. economic espionage threat Foreign economic and industrial espionage against the United States represents a significant and growing threat to the Nation's prosperity, American jobs, and National security. The primary strengths of the private sector in the United States are its tangible assets, including research and development (R&D), intellectual property, sophisticated business processes, and enforceable contracts. Unfortunately, those assets are being stolen by foreign intelligence services, corporations with close ties to foreign governments, and non-state actors. According to U.S. Army General Keith Alexander, Director of the National Security Agency and Commander of U.S. Cyber Command, the U.S. currently finds itself the victim of ``the greatest transfer of wealth in history.'' Just this week, the Director General of Britain's internal security agency, MI5 told a London audience that it is investigating cyber attacks against more than a dozen companies and added that one major London business had suffered more than $1.2 billion dollars in losses from an attack. He called the extent of the espionage activity ``astonishing--with industrial-scale processes involving many thousands of people lying behind both state-sponsored cyber-espionage and organized crime.'' This spring FBI erected billboards in nine cities around the country to highlight the $13 billion dollars in losses suffered by U.S. companies as a result of economic espionage in 2012 alone. While that number is staggering, my fear is that the $13 billion represents only the tip of the iceberg. Of even greater concern is finding out what lies beneath the surface. Due to a number of factors, which will be discussed today, the true size of this threat could be massively under- valued because this activity often goes unreported to law enforcement. evolving threat environment & cyber threat Economic espionage can take many forms including, visits to a company's website to gather open-source information; an employee's downloading of proprietary information onto a thumb drive at the behest of a foreign rival; or intrusions launched by a foreign intelligence service or other actors against the computer networks of a private company, Federal agency, or an individual. Unlike 20 years ago, business activity conducted over the internet provides opportunities for bad actors to infiltrate and steal vital data from U.S. companies. Cyberspace also provides relatively small- scale actors an environment and opportunity to become big players in economic espionage. In addition, under-resourced governments or corporations often build relationships with hackers to steal sensitive economic or technological information, just as national states have done for decades. In many ways, the threat posed by economic espionage is similar to the threat posed by al-Qaeda and its affiliate networks: Less centralized and more diffuse, often making if more difficult to combat. anonymity and attribution Making this an even more complex problem, many bad actors often remain anonymous and determining attribution of attacks is difficult for law enforcement and the intelligence community. Many actors route operations through computers in third countries or physically operate from third-party countries to obscure the origin of their activity. Some foreign intelligence services and non-state actors have reportedly used independent hackers at times to augment their capabilities and act as proxies for intrusions in order to provide plausible deniability. china and russia Both China and Russia view economic espionage as an essential tool in statecraft to achieve stated National security and economic prosperity aims. It is critical Members of Congress and U.S. businesses understand that point: China and Russia have official government policies of stealing U.S. assets for their economic gain. They target sensitive U.S. technology and economic data, private- sector companies, academic and research institutions, and U.S. citizens on a daily basis. According to the National Counterintelligence Executive, China and Russia will remain aggressive collectors of sensitive U.S. economic information and technology. Both countries will certainly continue to deploy significant resources and a wide array of tactics to acquire this information, motivated by the desire to achieve economic, strategic, and military parity with the United States. private-sector challenges Unfortunately, many private-sector victims of economic espionage are unaware of the crime until years after the loss of their information. In addition, many companies that are victims of espionage choose not to report the event to the FBI because it would negatively affect the company's reputation and endanger its relationships with investors, bankers, suppliers, customers, and shareholders. In many cases, it is difficult for companies to assign an economic value to stolen information, thereby decreasing their incentive to share information with law enforcement. examples of espionage A few examples I'd like to point out that illustrate the challenge faced by the private sector:The AMSC Corporation, a Massachusetts-based maker of computer systems that run wind turbines, was victimized by its largest customer, China's Sinovel Corporation. Sinovel illegally obtained access to AMSC's proprietary source code through an AMSC employee, who was paid to aid in the theft. Sinovel, which accounted for two-thirds of AMSC's annual revenue of $315 million, took AMSC's source code, began producing its own computers and severed its relationship with AMSC. When this news was made public AMSC's share price fell 40% in a single day and over the course of 5 months plunged 84%. One U.S. metallurgical company lost technology to China's hackers that cost $1 billion and 20 years to develop. An employee of the Valspar Corporation unlawfully downloaded proprietary paint formulas valued at $20 million, which he intended to take to a new job in China, according to press reports. This theft represented about one-eighth of Valspar's reported profits in 2009, the year the employee was arrested. today's witnesses To get a better understanding of this problem, today we will hear from a panel of Government witnesses from the FBI, Immigration and Customs Enforcement (ICE), and the Department of Commerce about the nature and severity of the threat and its costs to the U.S. economy. We will also learn what the U.S. Government is doing to combat the threat, including its work with small and medium-sized businesses to prevent the loss of trade secrets and intellectual property. I look forward to hearing from today's witnesses on this important topic. Mr. Long. The Chairman now recognizes the Ranking Member of the Subcommittee on Counterterrorism and Intelligence, the gentleman from New York, Mr. Higgins, for any statement he may have. Mr. Higgins. Thank you, Mr. Chairman. I would also like to thank you for holding this important hearing. Tom Friedman, in his book The World is Flat, discusses today's global web-enabled world that allows everybody to plug in and play, sharing knowledge, work irrespective of time, distance, geography and, increasingly, language. This paradigm makes the United States a target for economic espionage, where other nations work covertly to obtain sensitive technology and economic information to undermine our status as a global economic leader. Economic espionage is not a new concept. It has posed a threat to the United States' National security for decades. But now it has become an issue for American businesses, as well. According to the FBI, the United States' companies suffered more than $13 billion in economic losses in fiscal year 2012 alone. This is an appalling figure. What is more astonishing is that we cannot value the true long-term cost of theft in transfer of intellectual property. But we know it is significant. Economic espionage, through cyber attacks committed by foreign intelligence services and other criminal enterprises is so pervasive that in a recent poll 90 percent-- 90 percent--of companies admitted their networks had been breached in the past 12 months; while the other 10 percent could not say with certainty that they had not been penetrated. According to the former White House cybersecurity advisor, Richard Clarke, every major company in the United States has already been penetrated by China. The Chinese have been linked to a wide range of economic espionage in recent years, including the theft of blueprints for the next-generation stealth fighter from a defense contractor. Last month, in a report issued by the Pentagon, officials stated that China would continue to be an aggressive and capable collector of sensitive U.S. technological information. Additionally, in its report to Congress, the Office of National Counterintelligence Executive judged that the most active and persistent perpetrator of economic espionage is China. China is not the only country focused on the United States. Russia is also identified as aggressive in their pursuit of U.S. trade secrets. Further, just about 2 months ago this subcommittee also heard from witnesses that stated that our critical infrastructure was vulnerable to attack from Iran. Given the wealth of trade secrets in America, I am sure it would be possible for it to be vulnerable to espionage from other countries aside from those who have been mentioned. Knowing these facts, the administration is right to take steps to address economic espionage, and I am looking forward to learning more from the testimony today. I hope that they can give us as much insight as they can in an open setting. Although the administration has issued these stern warnings of the threat of economic espionage in reports and through advertisements, Congress has not responded adequately. Key legislation that would have helped protect our most sensitive industries and critical infrastructure from cyber intrusions were not even allowed to be considered by the House. We were disappointed by the Majority's philosophy with respect to these issues, and we are hoping that this testimony will help pave the way for greater transparency and more decisive action. Right now, our cybersecurity legislation is lacking with respect to critical infrastructure. But it seems as if right now is--the Government and companies will deal with resources that are currently available. I look forward to learning how the agencies are dealing with this issue, and if they are cooperating with each other to prevent the devastation of economic espionage. With that, I will yield back. Mr. Long. Thank you, Ranking Member Higgins. Other Members of the committee are reminded that opening statements may be submitted for the record. We are pleased to have a distinguished panel of witnesses before us today on this important topic. Dr. Stuart Graham is the chief economist at the U.S. Patent and Trademark Office, where he manages a team of economists researching the impact of intellectual property on the economy. Dr. Graham's research focuses on the economics of the patent system, intellectual property transactions, and relationships of intellectual property to entrepreneurship, and to commercialization of new technologies. Dr. Graham has testified about the patent system before the U.S. Federal Trade Commission, and has served as a scientific expert to the European patent office, the European trademark office, Industry Canada, and the Organization of Economic Cooperation and Development. He is currently serving as the chief economist while on leave from his academic post at Georgia Tech. Welcome. Mr. John Woods currently serves as the assistant director of the National Security Investigations Division, which is part of the U.S. Immigration and Customs Enforcement Homeland Security's Investigations. Mr. Woods has served in this position since April 2009, overseeing 450 people and managing a $160 million operational budget. Mr. Woods has 26 years of experience in law enforcement, the majority of that time developing and managing programs for the U.S. Immigration and Naturalization Service and HSI. Previously, Mr. Woods served as a deputy assistant director of the National Security Investigations Division, the unit chief of ICE's counterterrorism unit, and the assistant special agent in charge of the Miami SAC office. During this career with INS, he served as a section chief for the Miami district office, and has also served as a supervisory agent in Washington, DC and New York City. Mr. Woods began his Federal law enforcement career in New York City as an INS agent back in 1987. Welcome, Mr. Woods. Mr. Frank Figliuzzi is the assistant director of the FBI's counterintelligence division. Mr. Figliuzzi has been the division's deputy assistant director since November 2010. He was appointed as an FBI special agent in August 1987 and assigned to the Atlanta division, working on terrorism and foreign counterintelligence investigations He was promoted to the National Security Division at the FBI's headquarters in Washington, DC, with the responsibility of oversight of economic espionage matters. Prior to his appointment as deputy assistant director, Mr. Figliuzzi served as the FBI's chief inspector, the chief unit of the Office of Professional Responsibility, at FBI headquarters, and supervisory senior resident agent for the FBI's San Francisco division. Welcome, Mr. Figliuzzi. Mr. Greg Wilshusen is the director of information security issues at the Government Accountability Office, GAO, where he leads information, security-related studies, and audits of the Federal Government. He has over 28 years of auditing, financial management, and information systems experience. Prior to joining GAO in 1997, Mr. Wilshusen held a variety of public and private-sector positions. He was a senior systems analyst at the Department of Education. He also served as the controller for the North Carolina Department of Environment, Health, and Natural Resources, and held several auditing positions at Irving Burton Institutes, Incorporated and the United States Army Audit Agency. Welcome, Mr. Wilshusen. Just hope I am saying that right. The Chairman now recognizes Dr. Graham to testify. STATEMENT OF STUART GRAHAM, CHIEF ECONOMIST, U.S. PATENT AND TRADEMARK OFFICE, U.S. DEPARTMENT OF COMMERCE Mr. Graham. Chairman Long, Ranking Member Higgins, and Members of the subcommittee. Thank you for giving me the opportunity today to testify on the importance of intellectual property protections to the American economy. I am currently serving in the United States Patent and Trademark Office, or under Secretary David Kappos, as the first chief economist in the agency's history. While serving, I am on leave from my academic position at Georgia Tech's Sheller College of Business. My testimony today will focus primarily on the potential impact of economic espionage on one of this country's most important resources; the valuable, intangible assets held by American innovators and safeguarded by intellectual property protections both here and abroad. In a real sense, we cannot appreciate the scope of the potential espionage problem unless we recognize how important IP protections are to U.S. businesses and industries. Mr. Chairman, on April 11, 2012 the Department of Commerce released a report titled Intellectual Property in the U.S. Economy: Industries in Focus. This report details how U.S. companies in our most competitive industries are using patents, copyright, and trade secrets to protect their innovations, and trademarks to distinguish their goods and services from those of competitors. These protections are important supports for the American innovation system, enabling companies to capture market share and effectively sell and export goods, in turn contributing to economic growth and to America's overall competitiveness. The report identifies the 75 American industries most intensively using IP protections, and uses statistical data from across the U.S. Government to examine both the important trends and economic characteristics of these highly IP-intensive industries. There are several important findings contained in the report, including the following. First, the entire U.S. economy relies on some form of IP because virtually every industry either produces it or uses it. During 2010, the IP-intensive industries directly accounted for about 27 million American jobs, and indirectly supported an additional 13 million jobs in the supply chain. This totals 40 million American jobs, or just under 28 percent of all U.S. employment. Jobs in the IP-intensive industries pay well compared to other jobs. In 2010, average weekly wages for these industries were 42 percent higher than wages elsewhere in the economy. That pay differential was an impressive 70 percent higher for jobs in the patent- and copyright-intensive industries. Moreover, the IP-intensive industries accounted for just over $5 trillion in value added in 2010, or about 35 percent of the United States gross domestic product. Finally, merchandise exports of IP-intensive industries totaled $775 billion in 2010. That accounted for just under 61 percent of total U.S. merchandise exports. Mr. Chairman, in light of increasing concerns about IP infringement and misappropriation, the Department of Commerce is emphasizing this area in our domestic and foreign policy objectives. At the USPTO, for instance, we are providing American businesses with information and training such as our China IP toolkit, available to the public on the website stopfakes.gov. The USPTO is also especially proud of our IP attaches program. Currently, we have representatives on the ground in each of the BRIC countries, with 2 attaches currently serving in China helping U.S. companies to navigate through the IP challenges they face there. It is important to note that there are many efforts underway across the Department of Commerce, ranging from the Bureau of Industry and Securities Enforcement activities and administrative sanctions against export violators to outreach and advocacy across the Department directed at helping U.S. companies compete successfully in foreign markets. In conclusion, Mr. Chairman, the growth, job creation, and success of businesses of all shapes and sizes in the U.S. economy are dependent on the effectiveness of IP protection. The Department of Commerce is committed to supporting American innovation, including the ability of U.S. businesses to compete fairly and by protecting our economy from illegal copying and theft. We appreciate your support for the employees and operations of the Department that make that protection possible. Thank you. [The statement of Mr. Graham follows:] Prepared Statement of Stuart Graham June 28, 2012 introduction Chairman Meehan, Ranking Member Higgins, and Members of the subcommittee: Thank you for this opportunity to discuss the potential impact of economic espionage on one of this country's most important resources--the intellectual property (IP) protections of our innovators. It is clear that policies supporting and protecting a higher- quality IP system are making a difference in our Nation's economic recovery. In my testimony today, I will primarily discuss the importance of IP protections to U.S. businesses, with particular focus on the findings contained in the Department of Commerce's recent report titled ``Intellectual Property in the U.S. Economy: Industries in Focus.'' Moreover, I will discuss actions the Department of Commerce is taking to build capacity in the United States for new and existing businesses to protect their innovations. The Department of Commerce is keenly aware that America's core strength lies in our ability to experiment, innovate, and create new value. It is axiomatic that sensible Government policies that encourage and stimulate that spirit of innovation and clear that appropriate protection for American innovation can demonstrably contribute to job creation, economic well- being, and better lives for our people. commerce report overview: ``intellectual property in the u.s. economy: industries in focus'' On April 11, 2012, the Department of Commerce released this report in a White House press conference. Underlining the importance of this topic, speakers included the Secretary of Commerce, the White House Intellectual Property Coordinator, the President of the U.S. Chamber of Commerce, and the President of the AFL-CIO. The report is a collaborative effort by economists in the Economics and Statistical Administration (ESA) and the United States Patent and Trademark Office (USPTO), both bureaus of the Department. This report has had a large impact in helping to educate citizens about the role of intellectual property in our economic health--during the first 30 days after the report's release it was downloaded from the USPTO website over 82,000 times. The report recognizes that innovation--the process through which new ideas are generated and successfully introduced in the marketplace--is a primary driver of U.S. economic growth and National competitiveness.\1\ U.S. companies' use of patents, copyright, and trade secrecy to protect their creations, and trademarks to distinguish their goods and services from those of competitors represent important supports for innovation, enabling firms to capture market share, which contributes to growth in our economy. The granting and protection of intellectual property rights is vital to promoting innovation and creativity and is an essential element of our free enterprise, market- based system. Patents, trademarks, and copyrights are the principal means used to establish ownership of inventions and creative ideas in their various forms, providing a legal foundation to generate tangible benefits from innovation for companies, workers, and consumers. Without this framework, the creators of intellectual property would tend to lose the economic fruits of their own work, thereby undermining the incentives to undertake the investments necessary to develop the IP in the first place.\2\ Moreover, without IP protection, the inventor who had invested time and money in developing the new product or service (sunk costs) would always be at a disadvantage to the new firm that could just copy and market the product without having to recoup any sunk costs or pay the higher salaries required by those with the creative talents and skills. As a result, the benefits associated with American ingenuity would tend to more easily flow outside the United States. --------------------------------------------------------------------------- \1\ National Economic Council et al. 2011. \2\ Ibid., 11. --------------------------------------------------------------------------- The report finds that IP is used everywhere in the economy, and IP rights support innovation and creativity in virtually every U.S. industry. While IP rights play a large role in generating economic growth, too little attention has been given to identifying which industries produce or use significant amounts of IP and rely most intensively on these rights. The report was written to give policy makers and the public more information about the impacts of IP protection in the U.S. economy on which to base sound policy. This report investigates the economic impact in the United States of intellectual property protection by developing several industry- level metrics on IP use and employs these measures to identify a set of the most IP-intensive industries in the U.S. economy. To develop the industry-level metrics discussed, several databases were used, some of which (for the patent and trademark analyses) are publicly available.\3\ --------------------------------------------------------------------------- \3\ See www.uspto.gov/web/offices/ac/ido/oeip/taf/data/naics_conc/ and also www.google.- com/googlebooks/usptotrademarks.html. --------------------------------------------------------------------------- The report employs USPTO administrative data to identify the industries that most intensively use the protection offered by patents and trademarks. For copyrights, the report identifies the set of industries primarily responsible for both the creation and production of copyrighted materials. The report then uses standard statistical methods to identify which American industries are the most patent-, trademark-, and copyright-intensive, and defines this subset of industries as ``IP-intensive.'' Using data collected from sources across the U.S. Government, the report examines both the important trends and economic characteristics of these highly IP-intensive industries, and their meaningful contributions to the U.S. economy. There are several important findings contained in the report. commerce report findings Mr. Chairman, the important findings of the Department's report are as follows: The entire U.S. economy relies on some form of IP, because virtually every industry either produces or uses it. IP-intensive industries accounted for about $5.06 trillion in value added, or 34.8% of U.S. gross domestic product (GDP), in 2010. Merchandise exports of IP-intensive industries totaled $775 billion in 2010, accounting for 60.7% of total U.S. merchandise exports. IP-intensive industries directly accounted for 27.1 million American jobs, or 18.8% of all employment in the economy, in 2010. A substantial share of IP-intensive employment in the United States was in the 60 trademark-intensive industries, with 22.6 million jobs in 2010. The 26 patent-intensive industries accounted for 3.9 million jobs in 2010, while the 13 copyright- intensive industries provided 5.1 million jobs. While IP-intensive industries directly supported 27.1 million jobs either on their payrolls or under employment contracts, these sectors also indirectly supported 12.9 million more supply chain jobs throughout the economy. In other words, every two jobs in IP-intensive industries support an additional one job elsewhere in the economy. In total, 40.0 million jobs, or 27.7% of all jobs, were directly or indirectly attributable to the most IP-intensive industries. Jobs in IP-intensive industries pay well compared to other jobs. Average weekly wages for IP-intensive industries were $1,156 in 2010 or 42% higher than the $815 average weekly wages in other (non-IP-intensive) private industries. This wage premium nearly doubled from 22% in 1990 to 42% by 2010. Patent- and copyright-intensive industries have seen particularly fast wage growth in recent years, with the wage premium in patent-intensive industries increasing from 66% in 2005 to 73% in 2010. And the premium in copyright-intensive industries rising from 65% to 77%. The comparatively high wages in IP-intensive industries correspond to, on average, the completion of more years of schooling by these workers. More than 42% of workers aged 25 and over in these industries in 2010 were college-educated, compared with 34% on average in non-IP intensive industries. Due primarily to historic losses in manufacturing jobs, overall employment in IP-intensive industries has lagged other industries during the last 2 decades. While employment in non- IP intensive industries was 21.7% higher in 2011 than in 1990, overall IP-intensive industry employment grew 2.3% over this same period. Because patent-intensive industries are all in the manufacturing sector, they experienced relatively more employment losses over this period, especially during the past decade. While trademark-intensive industry employment had edged down 2.3% by the end of this period, copyright-intensive industries provided a sizeable employment boost, growing by 46.3% between 1990 and 2011. Between 2010 and 2011, the economic recovery led to a 1.6% increase in direct employment in IP-intensive industries, faster than the 1.0% growth in non-IP-intensive industries. Growth in copyright-intensive industries (2.4%), patent- intensive industries (2.3%), and trademark-intensive industries (1.1%) all outpaced gains in non-IP-intensive industries. Data on foreign trade of IP-intensive service-providing industries is limited. However, this report does find that exports of IP-intensive service-providing industries accounted for approximately 19% of total U.S. private services exports in 2007. the importance of protections to u.s. businesses Mr. Chairman, it is important to point out that the findings contained in the Commerce report concerning the positive economic impacts of the most intensive users of IP in the economy are consistent with previous academic studies finding that secrecy, patenting, and other legal protections are important to U.S. businesses in securing competitive advantage from their innovations. Notably, in response to a survey conducted by scholars at Carnegie-Mellon University in the 1990s, managers of U.S. businesses reported that various legal protections were effective in protecting their product and process innovations. Across all industries surveyed, patenting was found to effectively protect U.S. business' competitive advantage for over one- third of their product innovations, while secrecy was found to effectively protect competitive advantage on innovations in over one- half of product and process innovations.\4\ --------------------------------------------------------------------------- \4\ Cohen, Wesley M., Richard R. Nelson, and John P. Walsh (2000). ``Protecting Their Intellectual Assets: Appropriability Conditions and Why U.S. Manufacturing Firms Patent (or Not).'' NBER Working Paper 7552, available at http://www.nber.org/papers/w7552. --------------------------------------------------------------------------- Given recent evidence from the Kauffman Foundation showing that new business creation disproportionately contributes to job creation in the United States,\5\ it is important to note that a recent survey conducted at the University of California examining only young companies in high-technology industries finds results similar to the Carnegie-Mellon survey.\6\ Managers at start-up companies told the researchers in 2008 that patents, trademarks, copyright, and trade secret protections were all important to securing competitive advantage from their new product and process innovations. Notably, the most important reason that managers cited for seeking patent protection was to prevent others from copying their products or services. --------------------------------------------------------------------------- \5\ See, e.g., Tim J. Kane (2010). ``The Importance of Startups in Job Creation and Job Destruction,'' SSRN working paper, available at http://ssrn.com/abstract=1646934; E.J. Reedy & Robert E. Litan (2011). ``Starting Smaller; Staying Smaller: America's Slow Leak in Job Creation,'' SSRN working paper, available at http://ssrn.com/ abstract=1883660. \6\ Graham, Stuart, Robert P. Merges, Pamela Samuelson, and Ted M. Sichelman (2009). ``High Technology Entrepreneurs and the Patent System: Results of the 2008 Berkeley Patent Survey. Berkeley Technology Law Journal, Vol. 24, No. 4, pp. 255-327, available at http://ssrn.com/ abstract=1429049. --------------------------------------------------------------------------- department of commerce efforts to build capacity and protect american innovation In light of the recent and increasing concerns by U.S. right holders on the importance of having effective mechanisms to protect their trade secrets from misappropriation, the USPTO is emphasizing this area in our domestic and foreign policy objectives, particularly as they relate to other countries. USPTO attorneys are undertaking a comprehensive study of foreign laws and other legal measures governing trade secrets and are discussing with foreign government officials changes that can facilitate more effective protection regimes abroad. For instance, USPTO is using this information to update the ``China IP Toolkit'' on Stopfakes.gov with a section dedicated to trade secret protection and enforcement. This component of the Toolkit will provide an overview of China's major laws and other measures affecting trade secrets and include basic steps a company can consider to protect its trade secrets in China, including not only information on judicial and administrative enforcement mechanisms but also basic strategies companies can employ to help prevent misappropriation from occurring. Also, the USPTO is currently developing training modules on trade secrets for small and medium enterprises and enforcement officials. These modules will include an overview of trade secret law in the United States, measures to protect trade secrets, criminal and civil enforcement procedures, and international trade secret protection and enforcement. My presentation today focuses on USPTO efforts in support of the administration's innovation goals. I would like to note, however, that there are additional efforts underway across the Department of Commerce, ranging from BIS's enforcement activities and administrative sanctions against export violators, to outreach and advocacy directed at helping U.S. IP-intensive industries compete successfully in foreign markets. conclusion Mr. Chairman, the growth, job creation, and success of businesses of all shapes and sizes are highly dependent on the effectiveness of IP protection. The Department of Commerce is committed to supporting not only the creation of innovation, but also the ability of U.S. businesses to compete fairly with these innovations and protect our economy from illegal copying and theft. We appreciate your support for the employees and operations of the Department that make that protection possible. Mr. Long. Thank you, Dr. Graham. The Chairman now recognizes Mr. Woods to testify. STATEMENT OF JOHN P. WOODS, ASSISTANT DIRECTOR, HOMELAND SECURITY INVESTIGATIONS, IMMIGRATION AND CUSTOMS ENFORCEMENT, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Woods. Chairman Long, Ranking Member Higgins, and distinguished Members of the subcommittee, I thank you for the opportunity to discuss ICE's efforts to combat intellectual property and technology fraud by foreign governments. The theft of U.S. proprietary technology, including controlled dual-use technology and military-grade equipment, from unwitting U.S. companies is one of the most dangerous threats to our National security. By maintaining investigative partnerships with other law enforcement agencies both in the United States and internationally, ICE is at the forefront of our Nation's efforts to investigate these threats. ICE's Homeland Security Investigations handles a wide range of trade fraud investigations, including IP theft, commercial fraud, and export violations. I would like to begin my discussion with our counter- proliferation investigations program, which targets the trafficking and/or illegal export of conventional military equipment, firearms, controlled dual-use equipment and technology, and materials used to manufacture weapons of mass destruction, including chemical, biological, radiological, and nuclear materials. HSI's special agents investigate illegal exports of military equipment and dual-use technologies to embargo countries, and significant financial and business transactions with these proscribed countries and/or groups. We also conduct export enforcement training with foreign law enforcement agencies, and provide outreach with private industries in the United States and internationally. HSI's export enforcement program uses a three-pronged approach. Detecting the illegal exports, investigating those potential violations, and obtaining international cooperation to investigate leads abroad. One of the most effective tools that we use is our industry outreach program, called Project Shield America. Through this program, we conduct outreach to manufacturers, exporters of strategic commodities to educate them on the U.S. export control laws, discuss export licensing issues and requirements, and identify the red-flag indicators used in illicit procurement. To date, we have delivered over 20,000 outreach presentations to private industry and other entities as part of the program. As part of the President's export control reform initiative, it is to improve law enforcement coordination to investigate violations of U.S. export control laws. In November 2010, President Obama signed an Executive Order creating the Export Enforcement Coordination Center, or the E2C2. This multi-agency center is housed within HSI, and serves as the primary Government forum for the exchange of information, intelligence-related export enforcement. The E2C2 enhances the United States' ability to combat illicit proliferation by working to coordinate investigative enforcement activities related to export control. The E2C2 is staffed with full-time personnel from HSI, as well as individuals detailed from other departments and agencies, including from the Department of State, Treasury, Defense, Justice, Commerce, Energy, and the ODNI to name a few. There are a total of 18 partners that reside within the E2C2. Around their functions include coordinating and deconflicting our criminal and administrative enforcement actions in resolving interagency conflicts. They act as a primary point of contact between the enforcement authorities and the licensing authorities. They coordinate public outreach activities by law enforcement. Finally, they are in the process of establishing a Government-wide statistical tracking capability. Additionally, as you know, ICE is the leading agency in the investigation of criminal intellectual property violations involving the illegal production, smuggling, and distribution of counterfeit and pirated products as well as the associated money-laundering violations. The National Intellectual Property Rights Coordination Center, or the IPR Center, which is located in Arlington, Virginia brings together 20 Federal and international partners to provide a comprehensive response to IP theft. Outreach to the industry is also an important part of the IPR Center strategy. To combat the theft of trade secrets, the IPR Center and the Department of Commerce have been hosting a series of intergovernmental meetings to identify the issues and the current U.S. Government response to trade theft. Then they plan to engage the industry representatives and obtain their input and support for enforcement efforts. The IPR Center and Commerce are also providing outreach and training at the State and local level for retailers and brand owners. Through this effort, we are able to provide local rights holders and businesses the valuable insight on best practices, resources, initiatives that can help them combat IP violations, including trade secret theft. HSI is working hard to address the proliferation of U.S. proprietary technology by foreign governments, and to ensure that the technology does not reach the wrong hands, and prosecute those who subvert the rule of law and threaten our National security. We look forward to continuing our work with this subcommittee on this issue, and I thank you for involving me to testify today. I would be glad to answer any questions, when the time comes. [The statement of Mr. Woods follows:] Prepared Statement of John P. Woods June 28, 2012 introduction Chairman Meehan, Ranking Member Higgins, and distinguished Members of the subcommittee: On behalf of Secretary Napolitano and Director Morton, I would like to thank you for the opportunity to discuss the efforts of U.S. Immigration and Customs Enforcement (ICE) to combat intellectual property (IP) and technology fraud by foreign governments. The theft of U.S. proprietary technology, including controlled dual-use technology and military-grade equipment, from unwitting U.S. companies is one of the most dangerous threats to National security. As I will discuss today, by maintaining investigative partnerships with other law enforcement agencies, both in the United States and internationally, ICE is at the forefront of the Nation's efforts to investigate these threats. HSI's Counter-Proliferation Investigations Unit ICE's Homeland Security Investigations (HSI) Directorate is the largest investigative program within the Department of Homeland Security (DHS), with an extensive portfolio of enforcement authorities. Notably, HSI special agents possess statutory authority to enforce more than 400 Federal laws. Specifically, HSI investigates a wide range of trade fraud, including IP theft, commercial fraud, and export violations. HSI special agents detect, disrupt, and dismantle cross- border criminal networks engaged in the smuggling of people, narcotics, bulk cash, weapons, and weapons-related components across our borders. HSI also has full statutory authority to investigate and enforce criminal violations of all U.S. export laws related to military items and controlled ``dual-use'' commodities (i.e., items with both commercial and military applications). Further, HSI has the capability to expand the scope of its investigations to its international offices situated throughout the world. ICE leads the U.S. Government's efforts to prevent foreign adversaries from illegally obtaining U.S. military products and sensitive technology, including weapons of mass destruction and their components. HSI's Counter-Proliferation Investigations (CPI) Unit targets the trafficking and/or illegal export of conventional military equipment, firearms, controlled dual-use equipment and technology, and materials used to manufacture weapons of mass destruction, including chemical, biological, radiological, and nuclear materials. HSI special agents investigate illegal exports of military equipment and dual-use technology to embargoed countries, and significant financial and business transactions with proscribed countries and groups. Our HSI special agents also conduct export enforcement training for foreign law enforcement agencies, and provide outreach with private industry in the United States and internationally. The primary goal of HSI CPI investigations is the detection and disruption of illegal exports before they, or the actors behind them, cause damage to the National security interests of the United States. HSI's export enforcement program uses a three-pronged approach: Detecting illegal exports, investigating potential violations, and obtaining international cooperation to investigate leads abroad. HSI relies on specially-trained U.S. Customs and Border Protection officers stationed at ports of entry to inspect suspect export shipments. Following detection of a violation, HSI special agents deployed throughout the country initiate and pursue investigations to identify, arrest, and seek prosecution of offenders of the Arms Export Control Act of 1976, the Export Administration Act of 1979, the International Emergency Economic Powers Act, and other related statutes. The international nature of counterproliferation networks and schemes requires a global investigative response. The HSI Office of International Affairs has 71 offices around the world that work to enlist the support of their host governments to initiate new investigative leads and to develop information in support of on-going domestic investigations. In fiscal year 2011, HSI special agents initiated a total of 1,785 criminal investigations into possible export violations, made over 530 arrests, and obtained 487 indictments and 304 convictions for export- related criminal violations, more than any other Federal law enforcement agency (as reported by the Department of Justice). In addition, HSI agents conducted over 1,200 seizures of arms, military weaponry, and other sensitive commodities related to illegal export schemes. These efforts contributed to preventing sensitive U.S. technologies and weapons from falling into the wrong hands. Project Shield America (PSA) One of the most effective tools HSI special agents use as part of HSI's larger counter-proliferation strategy is our industry outreach program, Project Shield America (PSA). Through this program, HSI special agents conduct outreach to manufacturers and exporters of strategic commodities to educate them on U.S. export control laws, discuss export licensing issues and requirements, identify ``red flag'' indicators used in illegal procurement, and identify the Government agencies responsible for the licensing of export controlled commodities and technology. As of 2011, HSI agents have delivered over 20,000 outreach presentations to private industry and other entities as part of the PSA program. Export Enforcement Coordination Center (E2C2) A part of the President's Export Control Reform Initiative is to improve law enforcement coordination to investigate violations of U.S. export control laws. In November 2010, President Obama signed an Executive Order creating the Export Enforcement Coordination Center (E2C2)--a multi-agency center housed within HSI that serves as the primary Government forum for the exchange of information and intelligence related to export enforcement. Operational since April of this year, E2C2 enhances the United States' ability to combat illicit proliferation by working to coordinate investigative and enforcement activities related to export control. The E2C2 is staffed with full-time personnel from HSI, as well as individuals detailed from other departments and agencies including the Departments of State, Treasury, Defense (DoD), Justice, Commerce, Energy, the Office of the Director of National Intelligence, and other Executive Branch departments, agencies, or offices as designated by the President. Specifically, the functions of the E2C2 include: Coordinating the deconfliction of criminal and administrative enforcement actions and resolving conflicts that have not been otherwise resolved in the field; Acting as the primary point of contact between enforcement authorities and agencies engaged in export licensing; Coordinating law enforcement public outreach activities related to U.S. export controls; and Establishing Government-wide statistical tracking capabilities for U.S. export enforcement activities. The E2C2 replaced HSI's National Export Enforcement Coordination Network (NEECN), which led coordination among DHS components to address challenges inherent with dismantling transnational procurement networks. Unlike the NEECN, the Executive Order requires E2C2 participation by law enforcement and the intelligence community (IC). CPI Centers Faced with increasingly sophisticated global procurement networks, HSI has established and implemented CPI Centers throughout the United States to utilize CPI resources in the field strategically. The CPI Centers are intended to serve as a regional HSI resource for manpower, expertise, de-confliction, undercover operational support, and/or other CPI assistance that HSI offices may require. This concept allows for dedicated and experienced HSI special agents to be strategically placed in high-risk domestic areas to improve HSI's ability to combat illegal exports and illicit procurement networks that pose a threat to the United States. Geographically, CPI Centers are selected based on criteria including significant cases and statistics, threat assessments in respective areas of responsibility, and proximity to DoD and other U.S. Government agencies involved in export enforcement. ICE currently has 12 CPI Centers located throughout the United States. National Intellectual Property Rights Center ICE is a leading agency in the investigation of criminal intellectual property violations involving the illegal production, smuggling, and distribution of counterfeit and pirated products, as well as associated money-laundering violations. Led by ICE, the National Intellectual Property Rights Coordination Center (IPR Center), located in Arlington, Virginia, brings together 20 Federal and international partners to leverage resources, skills, and authorities to provide a comprehensive response to IP theft. The mission of the IPR Center is to address the theft of innovation that threatens U.S. economic stability and National security, undermines the competitiveness of U.S. industry in world markets, and places the public's health and safety at risk. The entry of goods into the United States is an integral part of the economic health of our Nation. However, with the growth of international trade comes an increased risk of border security compromises, including threats to National security and economic crime. IPR Center Outreach Outreach to industry is an important part of the IPR Center's strategy. To combat the theft of trade secrets, the IPR Center and the Department of Commerce (DOC) have been hosting a series of intra- governmental meetings to identify the issues and the current U.S. Government response to trade secret theft, and then plan to engage with industry representatives to obtain their input and support in these efforts. The IPR Center has further enhanced its collaboration with the DOC to provide outreach and training at the State and local level for retailers and brand owners. In collaboration with the U.S. Export Assistance Centers, these outreach and awareness-raising efforts are planned to precede or follow selected IPR Center training events. Through this effort, DOC and the IPR Center, along with other U.S. Government agencies and industry, are able to provide local rights holders and businesses with valuable insight on best practices, resources, and initiatives that can help them combat IP violations, including trade secret theft. conclusion HSI special agents are working tirelessly to combat the proliferation of U.S. proprietary technology by foreign governments, ensure that this technology does not reach the wrong hands, and prosecute those who subvert the rule of law and threaten our National security. We look forward to continuing to work with the subcommittee on this issue. Thank you once again for the opportunity to appear before you today. I would be pleased to answer any questions. Mr. Long. The Chairman now recognizes--oops. Thank you, Mr. Woods. The Chairman now recognizes Mr. Figliuzzi to testify. STATEMENT OF C. FRANK FIGLIUZZI, ASSISTANT DIRECTOR, COUNTERINTELLIGENCE DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. DEPARTMENT OF JUSTICE Mr. Figliuzzi. Good morning, Chairman Long and Ranking Member Higgins, and Members of the subcommittee. Thank you for the opportunity to testify before you today. For the past year- and-a-half I have had the privilege of leading the FBI's counterintelligence division. Our mission is to identify, disrupt, and defeat the efforts of foreign intelligence services operating inside a United States. To put it simply, the FBI is in the spy-catching business, and today I can tell you that our business is booming. This is an appropriate time to address economic espionage: The unauthorized acquisition of business trade secrets or proprietary information and the illegal transfer of technology. With each year, foreign intelligence services and their collectors become more sophisticated in their methods to undermine American business and erode what gives America our leading edge--our ability to innovate. In the FBI's pending caseload, just this fiscal year economic espionage has cost the American economy more than $13 billion. The health of America's companies is vital to our economy, and our economic is a matter of National security. But the FBI, with our partner agencies, is making strides in disrupting economic espionage plots. This year, we have surpassed last year's statistics by achieving 10 arrests, 21 indictments, and 9 convictions for economic espionage-related crimes. As the FBI's economic espionage caseload is growing, so is the percentage of our cases attributed to an insider threat coming from trusted employees and contractors, or former employees and contractors. This threat, of course, is not new. But it is becoming more prevalent. In this time of global economic uncertainty, it is lucrative for an employee to steal our technology and offer it to the highest bidder. Foreign nations know that it is always cheaper to steal U.S. technology than it is to research and develop it themselves. On May 11, 2012 the FBI initiated a public awareness campaign regarding an increased targeting of unclassified trade secrets across all American industries and sectors. Our website, www.fbi.gov, includes many resources to help counter this threat. The illegal transfer of U.S. technology is a second grave threat to our National security. The FBI is seeing an expansion of weapons proliferation cases involving U.S.-acquired components. These are components exported from American companies initially headed to someplace they are allowed to be but, ultimately, destined for someplace they should never be. The FBI's counterproliferation center, that identifies and disrupts networks of WMD activity, has tripled its disruptions of illegal transfers of technology since fiscal year 2011, including making more than a dozen arrests in the last year. Two case examples illustrate our successes in working alongside our U.S. law enforcement and intelligence community partners. In the first case, an Iranian proliferator used shell companies worldwide to supply Iran with military- and defense- related equipment. In 4 years, FBI cases helped interdict metal shipments headed to Iran which would have been the equivalent of more than 80 ballistic missiles. In the second case, another Iranian proliferation network obtained dual-use equipment from unwitting U.S. companies and shipped them to intermediary front companies in Asian nations before ultimately rerouting the shipments to Iran. More than a dozen of these components have been recovered as part of improvised explosive devices used against American servicemembers in Iraq from 2008 to 2011. The threat of economic espionage and illegal transfers of technology are not emerging threats on the horizon; they are with us right now. As long as America has what other nations want, and as long as there are foreign intelligence services working to get it, we will continue to see these types of threats. We are producing results as a result of our robust Government, business, and academic outreach partnerships, including partnerships among the agencies represented today at this hearing. We are all making it more difficult and less lucrative for individuals and entities to carry out the illegal taskings of foreign governments, and hardening our defenses against those who would so us harm. Thank you for the opportunity to speak to you today, and I would be happy to answer your questions. [The statement of Mr. Figliuzzi follows:] Prepared Statement of C. Frank Figliuzzi June 28, 2012 Good morning Chairman Meehan, Ranking Member Higgins, and Members of the subcommittee. Thank you for the opportunity to testify before you today. For the past year-and-a-half, I have had the privilege of leading the FBI's Counterintelligence Division (``CD''). Our mission is to identify, disrupt, and defeat the efforts of foreign intelligence services operating inside the United States. In the FBI's pending case load for the current fiscal year, economic espionage losses to the American economy total more than $13 billion. The health of America's companies is vital to our economy, and our economy is a matter of National security. But the FBI, with our partners, is making strides in disrupting economic espionage plots. In just the last 4 years, the number of arrests the FBI has made associated with economic espionage has doubled; indictments have increased five-fold; and convictions have risen eight-fold. In just the current fiscal year, the FBI has made 10 arrests for economic espionage-related charges; Federal courts have indicted 21 of our subjects (including indictments of five companies), and convicted nine defendants. In the current fiscal year so far, we have already surpassed the statistics recorded for fiscal year 2011 and expect them to continue to rise. With each year, foreign intelligence services and their collectors become more creative and more sophisticated in their methods to undermine American business and erode the one thing that most provides American business its leading edge-- our ability to innovate. As the FBI's economic espionage caseload is growing, so is the percentage of cases attributed to an Insider Threat, meaning that, individuals currently (or formerly) trusted as employees and contractors are a growing part of the problem. According to a February 2012 indictment, several former employees with more than 70 combined years of service to the company were convinced to sell trade secrets to a competitor in the People's Republic of China (``PRC''). Entities owned by the PRC government sought information on the production of titanium dioxide, a white pigment used to color paper, plastics, and paint. The PRC government tried for years to compete with DuPont Corporation, which holds the largest share of a $12 billion annual market in titanium dioxide. Five individuals and five companies were commissioned by these PRC state- owned enterprises collaborate in an effort to take DuPont's technology to the PRC and build competing titanium dioxide plants, which would undercut DuPont revenues and business. Thus far, three co-conspirators have been arrested and one additional co-conspirator has pled guilty in Federal court. This case is one of the largest economic espionage cases in FBI history. The Insider Threat, of course, is not new, but it's becoming more prevalent for a host of reasons, including The pervasiveness of employee financial hardships during economic difficulties; The global economic crisis facing foreign nations, making it even more attractive, cost-effective, and worth the risk to steal technology rather than invest in research and development; The ease of stealing anything stored electronically, especially when one has legitimate access to it; and The increasing exposure to foreign intelligence services presented by the reality of global business, joint ventures, and the growing international footprint of American firms. To address the evolving Insider Threat, the FBI has become more proactive to prevent losses of information and technology. CD continues expanding our outreach and liaison alliances to Government agencies, the defense industry, academic institutions, and, for the first time, to the general public, because of an increased targeting of unclassified trade secrets across all American industries and sectors. On May 11, 2012, the FBI launched a media campaign highlighting the Insider Threat relating to economic espionage. This campaign included print and television interviews, billboards along busy commuter corridors in nine leading research areas Nation-wide, and public information on the FBI website. Through this campaign, the FBI hopes to reach the public and business communities by explaining how the Insider Threat affects a company's operations and educating them on how to detect, prevent, and respond to threats to their organizations' proprietary information. Perhaps the most important among these is identifying and taking defensive measures against employees stealing trade secrets. A recent case underscores the value of the FBI and private companies working together to stop economic espionage and prevent financial losses or breaches of National security. An employee at a Utah company noticed a co-worker download the recipe for manufacturing a proprietary chemical and email it to his personal email account. After this suspicious activity was reported, the company opened its own investigation into the matter and learned that the employee had shared the manufacturing secret with an individual associated with a foreign chemical company. Because of an FBI presentation about economic espionage, company executives called the FBI, and the employee was arrested and charged within 10 days. If businesses, universities, and law enforcement continue to partner together, we can track, apprehend, and prosecute many more individuals suspected of economic espionage. A second grave threat to our National security is the illegal transfer of U.S. technology. The FBI is seeing an expansion of weapons proliferation cases involving U.S.-acquired components. These are components exported from American companies, initially headed to someplace they're allowed to be, but ultimately destined for someplace they should never be. The FBI's Counterproliferation Center (CPC), which identifies and disrupts networks of weapons of mass destruction (WMD) activity, is responsible for pursuing cases of illegal technology transfer, whether the technology is intended for WMDs or other uses. The CPC has tripled its disruptions of illegal transfers of technology since fiscal year 2011. We have made more than a dozen arrests since the CPC's inception in July 2011, including the arrests of multiple subjects on the Central Intelligence Agency's Top Ten Proliferators List. The CPC has also surpassed statistics recorded for fiscal year 2011 and in fiscal year 2012 (to date). One example of this sort of case involved an Iranian proliferation network with associates in Hong Kong, Taiwan, Singapore, and Malaysia, and particularly highlights our partnership with the Department of Commerce's Office of Export Enforcement and Homeland Security investigations. The network leader targeted dual-use electronic equipment including radio frequency modules. The target obtained this equipment from unwitting U.S. companies and shipped them to intermediary front companies in East Asia before ultimately rerouting the shipments to Iran. Over a dozen of these components have been recovered in caches of improvised explosive devices (``IEDs'') or recovered as part of the remote detonation systems of the pre- and post-blast IEDs used against American soldiers in Iraq from 2008-2011. Four co-conspirators in Singapore have been arrested and extradition proceedings to the United States to stand trial are on-going. One U.S. co-conspirator, who worked in research and development at the company manufacturing and shipping these items, pled guilty in Federal court this January. The answer to the threat lies, in part, on the partnerships represented at this hearing. Acting together, we are stronger than when we act alone and are producing results. As we continue our investigative and prosecutorial efforts we make it more painful for individuals and entities to carry out missions related to economic espionage. And as we strengthen and expand public awareness of the threat through our alliances with business and academia, we harden our defenses against those who would do us harm. Again, thank you for the opportunity to speak with you today. I would be pleased to answer any questions. Mr. Long. Thank you, Mr. Figliuzzi. The Chairman now recognizes Mr. Wilshusen to testify. STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Wilshusen. Chairman Long, Ranking Member Higgins, and Members of the subcommittee, thank you for the opportunity to testify at today's hearing on the threat of economic espionage facing the United States. This threat is not new. In April, 1992 we testified that the theft of U.S. proprietary information or technology by foreign companies has long been a part of the competitive business environment. We also testified that the unauthorized acquisition of U.S. proprietary and other information by foreign governments to advance their country's economic position was growing. Today, this threat continues to grow. The United States, a leader in innovation and technological research and development, remains a prime target. In addition, the increasing dependence on network IT systems and the use of cyberspace have vastly enhanced the reach and potential impact of such threats by making it possible for hostile actors to quickly steal massive amounts of information while remaining anonymous and difficult to detect. Mr. Chairman, I will describe some of the cyber threats, reported incidents affecting our Nation's systems, IT security safeguards available for helping to reduce these risks, and the roles of key Federal entities in supporting the protection of intellectual property. But before I do, Mr. Chairman, if I may I would like to recognize several members of my team who were instrumental in developing this statement. With me today is Mike Gilmore and Angelique Lawrence. Back at the office, Lee McCracken, Brad Becker, and Kush Malhotra were very helpful. Mr. Chairman, the Nation faces an evolving array of cyber- based threats from a variety of sources. These sources include foreign nations, business competitors, criminal groups, hackers, and corrupt insiders engaged in criminal activities such as fraud, computer extortion, and economic and industrial espionage, among others. They vary in their terms of capabilities, willingness to act, and motives, which can include seeking monetary gain and pursuing economic, political, or military advantage. Moreover, they have a variety of attack techniques that can be used to view, exfiltrate, and modify valuable information. The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple exploits. Reported attacks involving private-sector and Government systems occur daily and demonstrate that their impact can be serious. For example, consumers could suffer privacy and financial loss from identity theft and on-line scams. Private companies could lose their competitive advantage and market value from the cyber theft of an intellectual property or business proprietary information. Essential Government functions and critical infrastructure services could be impaired or disrupted. To protect against these threats, a variety of security controls and practices are available. These include technical controls such as those that manage access to systems, ensure system integrity, and encrypt sensitive data. Risk management and strategic planning are key practices that organizations undertake to improve their overall security posture and reduce their exposure to cyber risk. Effective public-private partnerships can facilitate information-sharing about cyber threats and countermeasures. Multiple Federal agencies have roles in supporting the protection of intellectual property rights, such as the Departments of Commerce, Justice, and Homeland Security. For example, components within the Justice Department, including the FBI, are dedicated to fighting computer-based threats to intellectual property. In addition, both Congress and the administration have established interagency mechanisms to better coordinate the protection of intellectual property. Ensuring the effective coordination among these efforts will be imperative for enhancing the economic security of the United States. In summary, the on-going efforts to steal U.S. intellectual property and other sensitive information are exacerbated by the ever-increasing prevalence and sophistication of cyber threats facing the Nation. Recently-reported incidents show that such actions can have serious consequences not only on individual businesses, but on private citizens and the economy as a whole. Effective coordination among Federal agencies, as well as robust public- private partnerships, are essential elements of any Nation-wide effort to protect America's businesses and economic security from cyber-based threats. Mr. Chairman, Ranking Member Higgins, this concludes my statement. I would be pleased to answer any questions you may have. [The statement of Mr. Wilshusen follows:] Prepared Statement of Gregory C. Wilshusen Chairman Meehan, Ranking Member Higgins, and Members of the subcommittee: Thank you for the opportunity to testify at today's hearing on the threat of economic espionage facing U.S. businesses. The threat of economic espionage\1\ is not new. In April 1992, we testified that the theft of U.S. proprietary information or technology by foreign companies has long been a part of the competitive business environment.\2\ We also testified that the unauthorized acquisition of U.S. proprietary or other information by foreign governments to advance their countries' economic position was growing. --------------------------------------------------------------------------- \1\ According to the Office of the National Counterintelligence Executive, economic espionage occurs when an actor, knowing or intending that his or her actions will benefit any foreign government, instrumentality, or agent, knowingly: (1) Steals, or without authorization appropriates, carries away, conceals, or obtains by deception or fraud a trade secret; (2) copies, duplicates, reproduces, destroys, uploads, downloads, or transmits that trade secret without authorization; or (3) receives a trade secret knowing that the trade secret had been stolen, appropriated, obtained or converted without authorization. See Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 (October 2011). \2\ GAO, Economic Espionage: The Threat to U.S. Industry, Testimony before the Subcommittee on Economic and Commercial Law, Committee on the Judiciary, House of Representatives, GAO/T-OSI-92-6 (April 29, 1992). --------------------------------------------------------------------------- Today, this threat continues to grow. According to the Federal Bureau of Investigation (FBI), the theft of intellectual property (IP)\3\--products of human intelligence and creativity--is a growing threat which is heightened by the rise of the use of digital technologies.\4\ The increasing dependency upon information technology (IT) systems and networked operations pervades nearly every aspect of our society. In particular, increasing computer interconnectivity--most notably growth in the use of the internet--has revolutionized the way that our Government, our Nation, and much of the world communicate and conduct business. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Cyber attacks are one way that threat actors--whether nations, companies, or criminals--can target the intellectual property and other sensitive information of Federal agencies and American businesses. According to the Office of the National Counterintelligence Executive, sensitive U.S. economic information and technology are targeted by intelligence services, private-sector companies, academic and research institutions, and citizens of dozens of countries.\5\ To help address this threat, Federal agencies have a key role to play in law enforcement, deterrence, and information sharing. Underscoring the importance of this issue, we have designated Federal information security as a high- risk area since 1997 and in 2003 expanded this area to include protecting computerized systems supporting our Nation's critical infrastructure.\6\ --------------------------------------------------------------------------- \3\ Intellectual property is a category of legal rights that grants owners certain exclusive rights to intangible assets or products of the human intellect, such as inventions; literary and artistic works; and symbols, names, images, and design. \4\ See the FBI's website on cybercrime and intellectual property theft at http://www.fbi.gov/about-us/investigate/cyber/ipr/ipr. \5\ Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. \6\ See, most recently, GAO, High-Risk Series: An Update, GAO-11- 278 (Washington, DC: February 2011). --------------------------------------------------------------------------- In my testimony today, I will describe: (1) Cyber threats facing the Nation's systems, (2) reported cyber incidents and their impacts, (3) security controls and other techniques available for reducing risk, and (4) the responsibilities of key Federal entities in support of improving the protection of intellectual property. In preparing this statement in June 2012, we relied on our previous work in these areas. (Please see the related GAO products in appendix II.) These products contain detailed overviews of the scope and methodology we used. We also reviewed relevant reports from the Department of Justice and Office of the National Counterintelligence Executive, and information on security incidents, including those involving economic espionage, from the U.S. Computer Emergency Readiness Team (US-CERT), media reports, and other publicly available sources. The work on which this statement is based was conducted in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions based on our audit objectives. background As computer technology has advanced, both Government and private entities have become increasingly dependent on computerized information systems to carry out operations and to process, maintain, and report essential information. Public and private organizations rely on computer systems to transmit sensitive and proprietary information, develop and maintain intellectual capital, conduct operations, process business transactions, transfer funds, and deliver services. In addition, the internet has grown increasingly important to American business and consumers, serving as a medium for hundreds of billions of dollars of commerce each year. Consequently, ineffective information security controls can result in significant risks, including: loss or theft of resources, including money and intellectual property; inappropriate access to and disclosure, modification, or destruction of sensitive information; use of computer resources for unauthorized purposes or to launch attacks on other computers' systems; damage to networks and equipment; loss of business due to lack of customer confidence; and increased costs from remediation. the nation faces an evolving array of cyber-based threats Cyber-based threats are evolving and growing and arise from a wide array of sources. These sources include business competitors, corrupt employees, criminal groups, hackers, and foreign nations engaged in espionage and information warfare. These threat sources vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include monetary gain or political advantage, among others. Table 1 shows common sources of cyber threats. TABLE 1.--SOURCES OF CYBERSECURITY THREATS ------------------------------------------------------------------------ Threat source Description ------------------------------------------------------------------------ Bot-network operators............. Bot-net operators use a network, or bot-net, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial-of-service attack or services to relay spam or phishing attacks). Business competitors.............. Companies that compete against or do business with a target company may seek to obtain sensitive information to improve their competitive advantage in various areas, such as pricing, manufacturing, product development, and contracting. Criminal groups................... Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft, on-line fraud, and computer extortion. Hackers........................... Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking, monetary gain, and political activism, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. Insiders.......................... The disgruntled or corrupt organization insider is a source of computer crime including economic espionage. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat includes contractors hired by the organization, as well as careless or poorly-trained employees who may inadvertently introduce malware into systems. International corporate spies..... International corporate spies pose a threat to the United States through their ability to conduct economic and industrial espionage* and large- scale monetary theft and to hire or develop hacker talent. Nations........................... Nations use cyber tools as part of their information-gathering and espionage activities, including economic espionage directed against U.S. businesses. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. In his January 2012 testimony, the Director of National Intelligence stated that, among state actors, China and Russia are of particular concern. Phishers.......................... Individuals or small groups execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware or malware to accomplish their objectives. Spammers.......................... Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations (e.g., a denial of service). Spyware or malware authors........ Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several notable destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster. Terrorists........................ Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten National security, cause mass casualties, weaken the economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information. ------------------------------------------------------------------------ * According to the Office of the National Counterintelligence Executive, industrial espionage, or theft of trade secrets, occurs when an actor, intending or knowing that his or her offense will injure the owner of a trade secret of a product produced for or placed in interstate or foreign commerce, acts with the intent to convert that trade secret to the economic benefit of anyone other than the owner. See Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. Source.--GAO analysis based on data from the Director of National Intelligence, Department of Justice, Central Intelligence Agency, National Institute of Standards and Technology, and the Software Engineering Institute's CERT Coordination Center. These sources of cyber threats make use of various techniques, or exploits, to adversely affect an organization's computers, software, or networks, or to intercept or steal valuable or sensitive information. Table 2 provides descriptions of common types of cyber exploits. TABLE 2.--TYPES OF CYBER EXPLOITS ------------------------------------------------------------------------ Type of Exploit Description ------------------------------------------------------------------------ Cross-site scripting.............. An attack that uses third-party web resources to run script within the victim's web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log key strokes, capture screen shots, discover and collect network information, and remotely access and control the victim's machine. Denial-of-service................. An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Distributed denial-of-service..... A variant of the denial-of-service attack that uses numerous hosts to perform the attack. Logic bombs....................... A piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met. Phishing.......................... A digital form of social engineering that uses authentic-looking, but fake, e-mails to request information from users or direct them to a fake website that requests information. Passive wiretapping............... The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data. Structured Query Language (SQL) An attack that involves the injection. alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database. Trojan horse...................... A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms by, for example, masquerading as a useful program that a user would likely execute. Virus............................. A computer program that can copy itself and infect a computer without the permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e- mail programs to spread itself to other computers, or even erase everything on a hard disk. Unlike a computer worm, a virus requires human involvement (usually unwitting) to propagate. War driving....................... The method of driving through cities and neighborhoods with a wireless- equipped computer--sometimes with a powerful antenna--searching for unsecured wireless networks. Worm.............................. A self-replicating, self- propagating, self-contained program that uses network mechanisms to spread itself. Unlike computer viruses, worms do not require human involvement to propagate. Zero-day exploit.................. An exploit that takes advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed time frame between public discoveries of both makes it difficult to defend against. ------------------------------------------------------------------------ Source: GAO analysis of data from the National Institute of Standards and Technology, United States Computer Emergency Readiness Team, and industry reports. Cyberspace--where much business activity and the development of new ideas often take place--amplifies these threats by making it possible for malicious actors to quickly steal and transfer massive quantities of data while remaining anonymous and difficult to detect.\7\ For example, cyber attackers do not need to be physically close to their victims, technology allows attacks to easily cross State and National borders, attacks can be carried out at high speed and directed at a number of victims simultaneously, and cyber attackers can more easily remain anonymous. Moreover, the use of these and other techniques is becoming more sophisticated, with attackers using multiple or ``blended'' approaches that combine two or more techniques. Using such techniques, threat actors may target individuals, resulting in loss of privacy or identity theft; businesses, resulting in the compromise of proprietary information or intellectual property; critical infrastructures, resulting in their disruption or destruction; or Government agencies, resulting in the loss of sensitive information and damage to economic and National security. --------------------------------------------------------------------------- \7\ Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. --------------------------------------------------------------------------- reported cyber-incidents illustrate serious risk to the security of intellectual property and other sensitive economic information Reports of cyber incidents affecting both public and private institutions are widespread. The U.S. Computer Emergency Readiness Team (US-CERT) receives computer security incident reports from Federal agencies, State and local governments, commercial enterprises, U.S. citizens, and international computer security incident response teams. In its fiscal year 2011 report to Congress on implementation of the Federal Information Security Management Act of 2002, the Office of Management and Budget reported that US-CERT received over 100,000 total incident reports in fiscal year 2011. Over half of these (about 55,000) were phishing exploits; other categories of incidents included virus/ Trojan horse/worm/logic bombs; malicious websites; policy violations; equipment theft or loss; suspicious network activity; attempted access; and social engineering. Private-sector organizations have experienced a wide range of incidents involving data loss or theft, economic loss, computer intrusions, and privacy breaches, underscoring the need for improved security practices. The following examples from news media and other public sources illustrate that a broad array of information and assets remain at risk. In March 2012, it was reported that a security breach at Global Payments, a firm that processed payments for Visa and Mastercard, could compromise the credit- and debit-card information of millions of Americans. Subsequent to the reported breach, the company's stock fell more than 9 percent before trading in its stock was halted. Visa also removed the company from its list of approved processors. In March 2012, it was reported that Blue Cross Blue Shield of Tennessee paid out a settlement of $1.5 million to the U.S. Department of Health and Human Services arising from potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information of over 1 million individuals. In April 2011, Sony disclosed that it suffered a massive breach in its video game on-line network that led to the theft of personal information, including the names, addresses, and possibly credit card data belonging to 77 million user accounts. In February 2011, media reports stated that computer hackers had broken into and stolen proprietary information worth millions of dollars from the networks of six U.S. and European energy companies. A retailer reported in May 2011 that it had suffered a breach of its customers' card data. The company discovered tampering with the personal identification number (PIN) pads at its checkout lanes in stores across 20 States. In mid-2009 a research chemist with DuPont Corporation reportedly downloaded proprietary information to a personal e- mail account and thumb drive with the intention of transferring this information to Peking University in China and also sought Chinese government funding to commercialize research related to the information he had stolen. Between 2008 and 2009, a chemist with Valspar Corporation reportedly used access to an internal computer network to download secret formulas for paints and coatings, reportedly intending to take this proprietary information to a new job with a paint company in Shanghai, China. In December 2006, a product engineer with Ford Motor Company reportedly copied approximately 4,000 Ford documents onto an external hard drive in order to acquire a job with a Chinese automotive company. These incidents illustrate the serious impact that cyber threats can have on, among other things, the security of sensitive personal and financial information and proprietary information and intellectual property. While these effects can be difficult to quantify monetarily, they can include any of the following: For consumers or private citizens: Identity theft or compromise of personal and economic information and costs associated with lower-quality counterfeit or pirated goods. For business: Lost sales, lost brand value or damage to public image, cost of intellectual property protection, and decreased incentive to invest in research and development. For the economy as a whole: Lower economic growth due to reduced incentives to innovate and lost revenue from declining U.S. trade with countries that have weak IP rights regimes. security controls and other techniques can reduce vulnerability to cyber-based attacks The prevalence of cyber threats and the risks they pose illustrate the need for security controls and other actions that can reduce organizations' vulnerability to such attacks. As we have reported, there are a number of cybersecurity technologies that can be used to better protect systems from cyber attacks, including access control technologies, system integrity technologies, cryptography, audit and monitoring tools, and configuration management and assurance technologies.\8\ In prior reports, we have made hundreds of recommendations to Federal agencies to better protect their systems and cyber-reliant critical infrastructures. Table 3 summarizes some of the common cybersecurity technologies, categorized by the type of security control they help to implement. --------------------------------------------------------------------------- \8\ GAO, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, GAO-04-321 (Washington, DC: May 28, 2004). TABLE 3.--COMMON CYBERSECURITY TECHNOLOGIES ---------------------------------------------------------------------------------------------------------------- Category Technology What it does ---------------------------------------------------------------------------------------------------------------- Access control: Boundary protection............ Firewalls............................ Control access to and from a network or computer. Authentication................. Biometrics........................... Uses human characteristics, such as fingerprints, irises, and voices, to establish the identity of the user. Authorization.................. User rights and privileges........... Allow or prevent access to data and systems and actions of users based on the established policies of an organization. System integrity................... Antivirus software................... Provides protection against malicious code, such as viruses, worms, and Trojan horses. Cryptography....................... Digital signatures and certificates.. Use public key cryptography to provide: (1) Assurance that both the sender and recipient of a message or transaction will be uniquely identified, (2) assurance that the data have not been accidentally or deliberately altered, and (3) verifiable proof of the integrity and origin of the data. Virtual private networks............. Allow organizations or individuals in two or more physical locations to establish network connections over a shared or public network, such as the internet, with functionality that is similar to that of a private network using cryptography. Audit and monitoring............... Intrusion detection systems.......... Detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems......... Build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Computer forensics tools............. Identify, preserve, extract, and document computer-based evidence. Configuration management and Policy enforcement applications...... Enable system administrators to assurance. engage in centralized monitoring and enforcement of an organization's security policies. Network management................... Allow for the control and monitoring of networks, including management of faults, configurations, performance, and security. Scanners............................. Analyze computers or networks for security vulnerabilities. Continuity of operations tools....... Provide a complete backup infrastructure to maintain availability in the event of an emergency or during planned maintenance. Patch management..................... Acquires, tests, and applies multiple patches to one or more computer systems. ---------------------------------------------------------------------------------------------------------------- Source: GAO analysis. In addition, the use of an overall cybersecurity framework can assist in the selection of technologies to protect an organization against cyber attacks. Such a framework includes: determining the business requirements for security; performing risk assessments; establishing a security policy; implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks; and continuously monitoring and managing security. Risk assessments, which are central to this framework, help organizations determine which assets are most at risk and to identify countermeasures to mitigate those risks. Risk assessment is based on a consideration of threats and vulnerabilities that could be exploited to inflict damage. Even with such a framework, there often are competing demands for cybersecurity investments. For example, for some companies, mitigating physical risks may be more important than mitigating cyber risks. Further, investing in cybersecurity technologies needs to make business sense. It is also important to bear in mind the limitations of some cybersecurity technologies and to be aware that their capabilities should not be overstated. Technologies do not work in isolation. Cybersecurity solutions make use of people, process, and technology. Cybersecurity technology must work within an overall security process and be used by trained personnel. We have also emphasized the importance of public-private partnerships for sharing information and implementing effective cybercrime prevention strategies.\9\ --------------------------------------------------------------------------- \9\ GAO, Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO-07-705 (Washington, DC: June 22, 2007). --------------------------------------------------------------------------- Similarly, the Office of the National Counterintelligence Executive has identified a series of ``best practices in data protection strategies and due diligence for corporations.''\10\ These include developing an information strategy; insider threat programs and awareness; effective data management; network security, auditing, and monitoring; and contingency planning. --------------------------------------------------------------------------- \10\ Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace. --------------------------------------------------------------------------- key federal agencies have responsibilities for protecting intellectual property Multiple Federal agencies undertake a wide range of activities in support of IP rights. Some of these agencies are the Departments of Commerce (including the U.S. Patent and Trademark Office), State, Justice (including the FBI), Health and Human Services, and Homeland Security; the U.S. Trade Representative; the U.S. Copyright Office; and the U.S. International Trade Commission. In many cases, IP-related efforts represent a small part of the agencies' much broader missions. A smaller number of agencies and their components are involved in investigating IP violations and enforcing U.S. IP laws. For example, the Department of Justice's (DOJ) U.S. attorneys offices, Criminal Division, and the FBI investigate and prosecute Federal IP crimes. DOJ established the Computer Hacking and Intellectual Property program, which consists of specially-trained assistant U.S. attorneys to pursue IP cases. Each of the 93 U.S. attorneys offices throughout the country have assistant U.S. attorneys designated as Computer Hacking and Intellectual Property coordinators, who are available to work on IP cases. In addition, DOJ has created Computer Hacking and Intellectual Property units in 25 U.S. attorneys offices with histories of large IP case loads. DOJ's Computer Crime and Intellectual Property Section-- based in Washington, DC--consists of prosecutors devoted to enforcing computer crime and IP laws. Computer Crime and Intellectual Property Section attorneys prosecute cases, assist prosecutors and other investigative agents in the field, and help develop and implement an overall criminal enforcement strategy. The FBI's Cyber Division oversees the bureau's IP enforcement efforts; though not all of its IP investigations are cyber-related. Over the years, Congress and the administration have created interagency mechanisms to coordinate Federal IP law enforcement efforts. These include the National Intellectual Property Law Enforcement Coordination Council (NIPLECC), created in 1999 to coordinate U.S. law enforcement efforts to protect and enforce IP rights in the United States and abroad and the Strategy for Targeting Organized Piracy initiative, created by the President in 2004 to target cross-border trade in tangible goods and strengthen U.S. Government and industry IP enforcement action. In December 2004, Congress passed legislation to enhance NIPLECC's mandate and created the position of the Coordinator for International Intellectual Property Enforcement, located within the Department of Commerce, to lead NIPLECC. In November 2006 we reported that NIPLECC continued to face persistent difficulties, creating doubts about its ability to carry out its mandate.\11\ We also noted that while the Strategy for Targeting Organized Piracy had brought attention and energy to IP efforts within the U.S. Government, it had limited usefulness as a tool to prioritize, guide, implement, and monitor the combined efforts of multiple agencies. --------------------------------------------------------------------------- \11\ GAO, Intellectual Property: Strategy for Targeting Organized Piracy (STOP) Requires Changes for Long-term Success, GAO-07-74 (Washington, DC: Nov. 8, 2006). --------------------------------------------------------------------------- In 2008, Congress passed the Prioritizing Resources and Organization for Intellectual Property Act (PRO-IP Act), which, among other things, created the position of the Intellectual Property Enforcement Coordinator (IPEC) to serve within the Executive Office of the President. The duties of the coordinator outlined in the act include specific efforts to enhance interagency coordination, such as the development of a comprehensive joint strategic plan. The act also required the Attorney General to devote additional resources to IP enforcement and undertake other IP-enforcement-related efforts. In October 2010, we noted that DOJ and FBI officials and Office of the IPEC staff reported taking many actions to implement the requirements of the PRO-IP Act.\12\ Moreover, the IPEC coordinated with other Federal entities to deliver the 2010 Joint Strategic Plan on Intellectual Property Enforcement to Congress and the public. We reported that the plan addressed the content requirements of the act, but that enhancements were needed, such as identifying responsible departments and entities for all action items and estimates of resources needed to carry out the plan's priorities. Accordingly, we recommended that the IPEC take steps to ensure that future strategic plans address these elements. IPEC staff generally concurred with our findings and recommendations. --------------------------------------------------------------------------- \12\ GAO, Intellectual Property: Agencies Progress in Implementing Recent Legislation, but Enhancements Could Improve Future Plans, GAO- 11-39 (Washington, DC: Oct. 13, 2010). --------------------------------------------------------------------------- In summary, the on-going efforts to steal U.S. companies' intellectual property and other sensitive information are exacerbated by the ever-increasing prevalence and sophistication of cyber-threats facing the Nation. Recently reported incidents show that such actions can have serious impact not only on individual businesses, but on private citizens and the economy as a whole. While techniques exist to reduce vulnerabilities to cyber-based threats, these require strategic planning by affected entities. Moreover, effective coordination among Federal agencies responsible for protecting IP and defending against cyber-threats, as well as effective public-private partnerships, are essential elements of any Nation-wide effort to protect America's businesses and economic security. Chairman Meehan, Ranking Member Higgins, and Members of the subcommittee, this concludes my statement. I would be happy to answer any questions you have at this time. Mr. Long. Thank you, Mr. Wilshusen for your testimony today, and also for acknowledging your coworkers. I know that that is where a lot of the work gets done up here, and they go unrecognized. So I appreciate that because I know, on a personal level, that it is very important in my office and most offices around here. Like I say, a pat on the back never hurts anybody. I now recognize myself for a round of questioning. Dr. Graham, in April the Commerce Department released a report showing that intellectual property-intensive industries contributed $5 trillion and 40 million jobs to the economy in 2010. Can you speak to the threat that economic espionage poses to various sectors of the economy, and provide some examples of industries that are targeted by foreign actors? Mr. Graham. Thank you, Mr. Chairman. I am happy to do so. Indeed, what this report does and why I came here today to testify was to essentially set the stage, and to speak to what is at stake here. So, you know, indeed the report did identify the most intellectual property-intensive industries in the U.S. economy, with the statistics that I cited earlier; 35 percent of GNP, approximately 28 percent of employment throughout the economy. It stands to reason that the threats associated with, created by, espionage would be particularly biting in these industries, since so much of their competitive advantage is built upon and based upon these intangible assets that they are building. There has been significant study before, particularly on the area of how important these intellectual property protections are for U.S. companies in capturing and maintaining competitive advantage. What we see time and time again, from the way in which these companies innovate and what they do with their innovations and the economic fruits and the economic benefits that flow to Americans and American employees from these innovations--are disrupted when those companies, when those firms, can't get access to these intellectual property protections. So at the end of the day we have to say that, you know, when we are looking at industries--from pharmaceuticals to machinery to chemicals to semiconductors to electronics--widely throughout the economy the threat associated with the undermining of the ability of these companies to maintain those rights and expect that those rights are going to be adequately protected will be significant to the economy. The estimates that have been put out of $13 billion, they seem to be perfectly appropriate estimates. But, of course, what those estimates must be, ultimately, are an under-count. Because what we can never count are the benefits associated to innovation that never happened because innovators are less likely to create their innovations, to expend those resources and investments, because they fear that what they are going to get at the end is an unprotectable product. So, you know, indeed, at the end of the day, these are real threats. They have a real impact on what is going on. The pie, as I have said before, is incredibly larger. Mr. Long. Okay, thank you. Assistant Director Figliuzzi, in an interview with the San Francisco Chronicle you stated that the economic espionage has never been a more significant issue than it is right now. Can you elaborate on this? Also in the article you stated that the Bay Area and Silicon Valley is a target-rich environment for espionage activity. Are there certain areas of the country where the FBI and ICE find this activity to be pervasive? Or can we characterize this as pretty much a Nation-wide problem? Mr. Figliuzzi. Mr. Chairman, with respect to your first question, as to whether this is increasing, whether it is more prevalent, whether it is on the increase, the answer is yes. The factors involve things like the global economic crisis. What we are seeing--as I can talk about in this unclassified session--is that foreign nations and their intelligence services are understanding more than ever before that it is cheaper to steal our technology than to use their precious budget resources, in this time of global economic crisis, to research and develop it. It is cheaper and it is faster to simply steal it. So we see nations, including in some cases some of our allies even willing, when it is in their economic interest, to steal intellectual property for their own economic benefits. With regard to your question about certain areas of the country, there is no question that certain parts of our country have a bulls-eye on them. Those would include areas like the research triangle in the Raleigh-Durham area of North Carolina; Silicon Valley in California; the Boston area, with a lot of research, cutting- edge research, going on there. But here is the risk in singling out areas. The risk in singling out specific areas is that it tends to put everybody at ease if they are not in those areas. Our caseload shows that the real problem today is the unclassified-preclassified--what I call the Mom & Pop shop-- research that is going on everywhere in this country, that is extremely vulnerable to targeting. We see them being targeted like never before. Mr. Long. Thank you. With that, I would like to recognize Ranking Member Higgins for your questions. Mr. Higgins. Thank you, Mr. Chairman. Mr. Woods, according to your testimony the Immigration and Customs Enforcement leads the Government's efforts to prevent foreign adversaries from illegally obtaining U.S. military products and sensitive technology through its counterproliferation investigations unit. How does that unit work with other components, both within the Department of Homeland Security and outside of the agency, to identify potential vulnerabilities? Could you go into as much detail as possible in an unclassified setting so that we can better understand the effectiveness of the collaborative efforts? Mr. Woods. Ah, yes. Thank you, Ranking Member Higgins. ICE counterproliferation investigations works hand-in-hand with our partners in law enforcement, specifically the FBI and Department of Commerce. We also work with the Department of Defense Criminal Investigative Service on many cases involving military articles going overseas and going to the wrong hands. I could say categorically this has been increasing over the last number of years, where we see our defense articles being routed to locations where they shouldn't be, through third countries. We combat this through several ways. Most notably, we have a robust undercover operations program, where we engage the procurement networks that have been seeking these armaments and arms to go to these third countries. We use our undercover operations to move forward in investigating these sort of illicit procurement networks. We also, in working with our partners, deconflict through the E2C2 to ensure that we are talking to the right people. We are making sure that we are not blue-on-blue. That we are making sure that if there is an effort by a state sponsor--we are working in close hands with the FBI to ensure that--that the sponsor is identified. Or whether it is an espionage type of case, that they are included in our investigation. At the same note, if we identify a list of procurement networks that are going through to South America, we work on working with our partners overseas to ensure that we identify the networks that they are in source. Mr. Higgins. Dr. Graham, according to your testimony the entire United States economy relies on some form of intellectual property. You also stated that every two jobs in intellectual property-intensive industries support an additional one job elsewhere in the economy. Given those numbers, can you explain to us the importance of protecting trade secrets in America, and can you further explain the true economic impact of espionage, economic espionage? Mr. Graham. Thank you, Mr. Higgins. Happy to comment on both those issues. On the first issue, actually our report tends to undercount the employment impacts here. So while we found that there were on the order of 27 million American jobs in direct employment in these industries and 13 million in supply chain jobs, those are the upstream supply chain jobs--those jobs that were associated with those industries that were supplying into the IP-intensive industries. There, of course, are other jobs in the downstream economy--distribution systems, retail systems--associated with these industries. So, you know, it really is a very large impact in the economy. On the second question associated with the importance of trade secrecy protection, it is clear to us from everything we know--and many academic studies bear this out, surveys that have been done of American business managers, R&D managers at companies--that secrecy is among the most important protections that industries use to protect their innovations. It tends to be much more effective than many of the other types of intellectual property. Of course, these different types of intentional property work together in very sophisticated and interesting ways because they complement one another. Trademarks will support, you know, a competitive advantage in marketing and sales, while the patents will protect the associated technological elements that go into the product. So these things work together. But one thing that we fundamentally know is that secrecy is extremely important at maintaining competitive advantage. Which, of course, says something I mentioned earlier. It says something not only about what we have today--and the ability of the companies selling and engaging in business in the United States to sell and compete with those goods--but it also says something about the incentives to do innovation in the first place, right? You know, we must be robust and focused on these issues. Because without that, of course, we tend to undermine the incentives of innovators that are looking for future profits in making a decision today to whether to do innovation. So maintaining that important protection, and ensuring that the people at this table are doing the important work that they are doing is, of course, fundamental to supporting our system of innovation, which drives so much of the economic growth and the ability to give better lives to our people in the U.S. economy. Mr. Long. Thank you. Thank you all for being here today and for your valuable testimony, and Ranking Member Higgins for his questions. The Members of the committee may have additional questions for the witnesses, and we will ask you all to respond to those in writing within 10 days for which the hearing will be open. Without objection, the committee stands adjourned. [Whereupon, at 10:55 a.m., the subcommittee was adjourned.]