[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
CYBER ESPIONAGE AND THE THEFT OF U.S. INTELLECTUAL PROPERTY AND
TECHNOLOGY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
JULY 9, 2013
__________
Serial No. 113-67
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
U.S. GOVERNMENT PRINTING OFFICE
86-391 WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
RALPH M. HALL, Texas HENRY A. WAXMAN, California
JOE BARTON, Texas Ranking Member
Chairman Emeritus JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
TIM MURPHY, Pennsylvania GENE GREEN, Texas
MICHAEL C. BURGESS, Texas DIANA DeGETTE, Colorado
MARSHA BLACKBURN, Tennessee LOIS CAPPS, California
Vice Chairman MICHAEL F. DOYLE, Pennsylvania
PHIL GINGREY, Georgia JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana JIM MATHESON, Utah
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin
BILL CASSIDY, Louisiana Islands
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California
CORY GARDNER, Colorado BRUCE L. BRALEY, Iowa
MIKE POMPEO, Kansas PETER WELCH, Vermont
ADAM KINZINGER, Illinois BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia PAUL TONKO, New York
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
Subcommittee on Oversight and Investigations
TIM MURPHY, Pennsylvania
Chairman
MICHAEL C. BURGESS, Texas DIANA DeGETTE, Colorado
Vice Chairman Ranking Member
MARSHA BLACKBURN, Tennessee BRUCE L. BRALEY, Iowa
PHIL GINGREY, Georgia BEN RAY LUJAN, New Mexico
STEVE SCALISE, Louisiana EDWARD J. MARKEY, Massachusetts
GREGG HARPER, Mississippi JANICE D. SCHAKOWSKY, Illinois
PETE OLSON, Texas G.K. BUTTERFIELD, North Carolina
CORY GARDNER, Colorado KATHY CASTOR, Florida
H. MORGAN GRIFFITH, Virginia PETER WELCH, Vermont
BILL JOHNSON, Ohio PAUL TONKO, New York
BILLY LONG, Missouri GENE GREEN, Texas
RENEE L. ELLMERS, North Carolina JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California (ex
FRED UPTON, Michigan (ex officio) officio)
C O N T E N T S
----------
Page
Hon. Tim Murphy, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 1
Prepared statement........................................... 3
Hon. Janice D. Schakowsky, a Representative in Congress from the
State of Illinois, opening statement........................... 4
Hon. Fred Upton, a Representative in Congress from the state of
Michigan, opening statement.................................... 6
Prepared statement........................................... 6
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, prepared statement............................. 8
Hon. Henry A. Waxman, a Representative in Congress from the state
of California, opening statement............................... 8
Witnesses
Slade Gorton, Former U.S. Senator from Washington State,
Commission Member, Commission on the Theft of American
Intellectual Property.......................................... 10
Prepared statement........................................... 12
Answers to submitted questions............................... 82
Larry M. Wortzel, Ph.D., Commissioner, U.S.-China Economic and
Security Review Commission..................................... 15
Prepared statement........................................... 17
Answers to submitted questions............................... 90
James A. Lewis, Director and Senior Fellow, Technology and Public
Policy Program, Center for Strategic and International Studies. 33
Prepared statement........................................... 35
Answers to submitted questions............................... 98
Susan Offutt, Chief Economist, Applied Research and Methods,
Government Accountability Office............................... 44
Prepared statement........................................... 46
Answers to submitted questions............................... 106
Submitted Material
Letter of July 9, 2013, from Cyber Secure America Coalition to
the subcommittee, submitted by Mr. Murphy...................... 76
Letter of July 9, 2013, from Cyber Secure America Coalition to
the subcommittee, submitted by Ms. DeGette..................... 79
CYBER ESPIONAGE AND THE THEFT OF U.S. INTELLECTUAL PROPERTY AND
TECHNOLOGY
----------
TUESDAY, JULY 9, 2013
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:15 a.m., in
room 2123, Rayburn House Office Building, Hon. Tim Murphy
(chairman of the subcommittee) presiding.
Present: Representatives Murphy, Burgess, Blackburn,
Scalise, Olson, Gardner, Johnson, Long, Ellmers, Upton (ex
officio), Braley, Schakowsky, Tonko, Green, and Waxman (ex
officio).
Staff Present: Carl Anderson, Counsel, Oversight; Sean
Bonyun, Communications Director; Matt Bravo, Professional Staff
Member; Megan Capiak, Staff Assistant; Karen Christian, Chief
Counsel, Oversight; Patrick Currier, Counsel, Energy & Power;
Andy Duberstein, Deputy Press Secretary; Brad Grantz, Policy
Coordinator, O&I; Sydne Harwick, Staff Assistant; Brittany
Havens, Staff Assistant; Sean Hayes, Counsel, O&I; Andrew
Powaleny, Deputy Press Secretary; Peter Spencer, Professional
Staff Member, Oversight; Brian Cohen, Minority Staff Director,
Oversight & Investigations, Senior Policy Advisor; Kiren Gopal,
Minority Counsel; and Hannah Green, Minority Staff Assistant.
OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
Mr. Murphy. Good morning. I convene this hearing of the
Subcommittee on Oversight and Investigations entitled ``Cyber
Espionage and the Theft of U.S. Intellectual Property and
Technology. In the last several months, there have been
increasing reports of cyber espionage and its toll on U.S.
businesses and the economy. In March, Thomas Donilon, the
National Security Advisor to the President, addressed the issue
of cyber espionage and the theft of U.S. Intellectual property,
or IP, and technology, particularly in China. Mr. Donilon
stated that IP and trade secrets ``have moved to the forefront
of our agenda. Targeted theft of confidential business
information and proprietary technologies through cyber
intrusions emanating from China occurs on an unprecedented
scale. The international community cannot afford to tolerate
such activity from any country.''
In June, President Obama raised this issue with the Chinese
president during a summit in California, and I thank him for
pushing this issue so critically important to U.S. jobs. Just 2
weeks ago, the Council on Foreign Relations released a report
finding that U.S. oil and natural gas operations are
increasingly vulnerable to cyber attacks and that these attacks
damage the competitiveness of these companies. The victims go
beyond the energy industry, though. A recent report by a cyber
security consulting firm documented the Chinese People
Liberation Army's direct involvement with cyber attacks and
espionage into 141 companies, including 115 in the U.S. across
20 industries.
Three years ago, Chinese military hackers infiltrated the
Pittsburgh location of QinetiQ, a manufacturer of high tech
robotic systems, like the remotely-controlled devices used to
diffuse IEDs. Experts believe the Chinese hackers may have
stolen from QinetiQ's proprietary chip architecture, allowing
the PLA to take over or defeat U.S. military robots and aerial
drones. From defense contractors to manufacturers, no American
company has been immune from the scourge of Chinese
intellectual property theft.
In January, two Chinese citizens were convicted for
attempting to steal trade secrets from a Pittsburgh Corning
plant in order to build a rival factory in China. Cyber
espionage has obvious implications for national security,
foreign relations, and the American economy.
The IP Commission, which Senator Slade Gorton represents
today, recently published a report on the theft of intellectual
property and estimated that it costs the U.S. economy over $300
billion a year, which translates roughly to 2.1 million lost
jobs. To put this in perspective, the IP Commission found that
the total cost of cyber theft was comparable to the amount of
U.S. exports to Asia. General Keith Alexander, the director of
the National Security Agency called cyber crime and the
resulting loss of our intellectual property and technology to
our competitors ``the greatest transfer of wealth in U.S.
history.''
The purpose of this hearing is to understand how this loss
is happening, the cost to our country, and how companies and
the U.S. government are responding to this threat. The
testimony of the IP Commission and the U.S.-China Commission
make clear that the People's Republic of China is the most
predominant and active source of cyber espionage and attacks.
China, while the main source, is not the only one. The Office
of the National Counter Intelligence Executive states Russia,
too, is aggressively pursuing U.S. IP and technology.
The witnesses today will explain the methods and tactics
used to penetrate U.S. cyber systems and what China and other
perpetrators do with the information they obtain through these
attacks. Counterfeiting of U.S. products and technologies is
often an unfortunate result of cyber espionage attacks. In an
op-ed submitted to the Washington Post, Admiral Dennis Blair,
former Director of National Intelligence, and Jon Huntsman,
Jr., the former Ambassador to China, explain how the
counterfeiting of a U.S. product by a foreign company resulted
in the foreign company's becoming the largest competitor to
that U.S. company.
Ultimately, the U.S. company's share price fell 90 percent
in just 6 months. Just last month, Federal prosecutors secured
an indictment against Sinovel, a Chinese wind turbine company,
for stealing source code for small industrial computers used in
wind turbines for a U.S. business, American Semiconductor
Company. The CEO of American Semiconductor remarked on the
reported $1 billion loss in market value his company suffered
as a result of this theft, stating ``If your ideas can be
stolen without recourse, there is no reason to invest in
innovation. There is no purpose to the American economy.''
So I'd like to thank the witnesses today. First, we have
the Honorable Slade Gorton, the former Senator from the State
of Washington, and currently a Commission member of the
Commission on the Theft of American Intelligence Property.
Joining him is an expert on cyber security and Chinese foreign
policy, the Honorable Larry Wortzel, Ph.D., who is a
Commissioner on the U.S.-China Economic and Security Review
Commission; Dr. James Lewis, Ph.D., a Senior Fellow and
Director of the Technology and Public Policy Program at the
Center for Strategic International Studies; and Susan Offutt,
Chief Economist for the Applied Research and Methods with the
General Accountability Office.
We invited a spokesman from the White House and the
administration to join us today, but they informed the
committee that they would respectfully decline its invitation.
It is unfortunate that the administration wasn't able to take
this opportunity to join us and testify, given the importance
of this issue and the priority the administration has given it
during recent talks with the Chinese president. That invitation
remains open for them to meet with us.
So with that, I recognize the ranking member, Ms.
Schakowsky, who is now sitting in for--by designation for Ms.
DeGette. You are recognized for 5 minutes.
[The prepared statement of Mr. Murphy follows:]
Prepared statement of Hon. Tim Murphy
In the last several months, there have been increasing
reports of cyber espionage and its toll on U.S. businesses and
the economy. In March, Thomas Donilon, the National Security
Advisor to the President, addressed the issue of cyber
espionage and the theft of U.S. intellectual property, or
``IP,'' and technology, particularly by China. Mr. Donilon
stated that IP and trade secrets ``have moved to the forefront
of our agenda...targeted theft of confidential business
information and proprietary technologies through cyber
intrusions emanating from China [occurs] on an unprecedented
scale. The international community cannot afford to tolerate
such activity from any country.'' In June, President Obama
raised this issue with the Chinese President during a summit in
California.
Just 2 weeks ago, the Council on Foreign Relations released
a report finding that U.S. oil and natural gas operations are
increasingly vulnerable to cyber attacks, and that these
attacks damage the competitiveness of these companies. The
victims go beyond the energy industry, though. A recent report
by a cybersecurity consulting firm documented the Chinese
People Liberation Army's direct involvement through cyber
attacks and espionage into 141 companies, including 115 in the
U.S., across 20 industries.
Three years ago, Chinese military hackers infiltrated the
Pittsburgh location of QinetiQ, a manufacturer of high-tech
robotic systems like the remotely-controlled devices used to
diffuse IEDs. Experts believe the Chinese hackers may have
stolen from QinetiQ's proprietary chip architecture, allowing
the PLA to take over or defeat U.S. military robots and aerial
drones.
From defense contractors to manufacturers, no American
company has been immune from the scourge of Chinese
intellectual property theft. In January, two Chinese citizens
were convicted for attempting to steal trade secrets from a
Pittsburgh Corning plant in order to build a rival factory in
China.
Cyber espionage has obvious implications for national
security, foreign relations, and the American economy. The
Commission, which Senator Slade Gorton represents today,
recently published a report on the theft of intellectual
property and estimated that it costs the U.S. economy over $300
billion a year, which translates into roughly 2.1 million lost
jobs. To put this in perspective, the IP Commission found that
the total cost of cyber theft was comparable to the amount of
U.S. exports to Asia. General Keith Alexander, the director of
the National Security Agency, called cyber crime, and the
resulting loss of our intellectual property and technology to
our competitors, ``the greatest transfer of wealth in
history.''
The purpose of this hearing is to understand how this loss
is happening, the cost to our country, and how companies and
the U.S. government are responding to this threat. The
testimony of the IP Commission and the U.S.-China Commission
make clear that the People's Republic of China is the most
predominant and active source of cyber espionage and attacks.
China, while the main source, is not the only one. The Office
of the National Counterintelligence Executive (ONCIX) states
Russia, too, is aggressively pursuing U.S. IP and technology.
The witnesses today will explain the methods and tactics
used to penetrate U.S. cyber systems, and what China and other
perpetrators do with the information they obtain through these
attacks. Counterfeiting of U.S. products and technologies is
often an unfortunate result of cyber espionage attacks. In an
op-ed submitted to the Washington Post, Admiral Dennis Blair,
former director of national intelligence, and Jon Huntsman,
Jr., the former ambassador to China, explained how the
counterfeiting of a U.S. product by a foreign company resulted
in the foreign company becoming the largest competitor to that
U.S. company. Ultimately, the U.S. company's share price fell
90 percent in just 6 months.
Just last month, federal prosecutors secured an indictment
against Sinovel, a Chinese windturbine company, for stealing
source code for small industrial computers used in wind-
turbines for a U.S. business, American Semiconductor Company.
The CEO of American Semiconductor remarked on the reported $1
billion loss in market value his company suffered as a result
of this theft, stating, ``...If your ideas can be stolen
without recourse, there is no reason to invest in innovation,
there is no purpose to the American economy.''
I would like to thank the witnesses. First, we have the
Honorable Slade Gorton the former Senator from the State of
Washington and currently a Commission Member on the Commission
on the Theft of American Intellectual Property. Joining him is
an expert on cyber security and Chinese foreign policy, the
Honorable Larry M. Wortzel, Ph.D., who is a Commissioner on the
U.S.-China Economic and Security Review Commission; Dr. James
Lewis, Ph.D. a senior fellow and director of the Technology and
Public Policy Program at the Center for Strategic and
International Studies (CSIS); and Susan Offutt, Chief Economist
for Applied Research and Methods with the General
Accountability Office.
We invited a spokesperson from the White House and the
administration to join us today, but they informed the
committee that they would respectfully decline its invitation.
It is unfortunate that the administration did not take this
opportunity to join us and testify given the importance of this
issue and the priority the administration has given it during
its recent talks with the Chinese President.
# # #
OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. Thank you, Mr. Chairman. Before I begin,
let me give a special welcome to Senator Gorton, who I
understand grew up in my hometown of Evanston, Illinois, which
I now have the pleasure of representing, and to welcome you and
all the other witnesses here today.
The President, in his State of the Union address this year,
said ``Our enemies are seeking the ability to sabotage our
power grid, our financial institutions, and our air traffic
control systems.'' And the President's right. And that is why I
am so glad that we're having today's hearing to learn about the
impact of cyber espionage, the theft of intellectual property,
and the threat that they pose to our economy and national
security.
The GAO has indicated that ``The theft of U.S. intellectual
property is growing and is heightened by the rise of digital
technologies.'' The Obama Administration has taken a leading
role in the effort to root out cyber threats. The President's
cyberspace policy review identified and completed 10 near-term
actions supporting our Nation's cyber security strategy. The
Department of Homeland Security has created a cyber security
incident response plan; the National Institute of Standards and
Technology in 7 months is expected to publish voluntary
standards for operators of our Nation's critical infrastructure
that will help mitigate the risks of cyber attacks.
The private sector has also taken steps independently to
root out cyber threats and increased communication about best
practices for combating malicious attacks. Those public and
private sector efforts have strengthened Americans' defenses
and protected our critical infrastructure and intellectual
property. We know that foreign actors are seeking access to
American military intelligence and corporate trade secrets.
China, Russia, and other countries continue to deploy
significant resources to gain sensitive proprietary information
via cyber attacks.
While I strongly believe we need to address cyber security
concerns, I did vote against the Cyber Intelligence Sharing and
Protection Act. I believe the bill, though improved from the
last Congress, does an inadequate job of defending the privacy
rights of ordinary Americans. We can't compromise our civil
liberties in exchange for a strong defense against cyber
attacks. We need a better balance, and I'm committed to working
toward that end. We will hear today from Larry Wortzel----
Am I saying that right?
Mr. Wortzel. Yes.
Ms. Schakowsky. A member of the U.S.-China Economic and
Security Review Commission, that China is. And I quote, ``Using
its advanced cyber capabilities to conduct large-scale cyber
espionage, and China has compromised a range of U.S. networks,
including those at the Department of Defense, defense
contractors, and private enterprises.''
Mr. Wortzel's testimony provides examples of those
intrusions, thousands of targeted attacks on DOD network, a
case where hackers gained full functional control--that's a
quote--over the NASA Jet Propulsion Lab network, and Chinese
cyber attacks on the major contractors for the F-35 joint
strike fighters. It describes a U.S. super computer company
that was devastated when its high-tech secrets were stolen by a
Chinese--a Chinese company, and it highlights the Night Dragon
operation, where multiple oil, energy, and petrochemical
companies were targeted for cyber attacks, that gave outside
hackers access to executive accounts and highly sensitive
documents for several years.
Mr. Chairman, we cannot take these problems lightly. I know
you don't. They cost our economy billions of dollars and places
our national security at risk. And as the number of Internet-
connected devices and the use of cloud computing increases, the
number of entry points for malicious actors to exploit will
also rise. With more information and more sensitive information
now stored on the Web, we must sharpen our focus on cyber
security. I hope to hear more from our witnesses today about
this immense challenge and how the private sector and
government entities can become more cyber resilient. And with
that, I yield back, Mr. Chairman.
Mr. Murphy. Gentlelady yields back. Now to the chairman of
the full committee, Mr. Upton, for 5 minutes.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Well, thank you, Mr. Chairman. Today's hearing
continues the Energy and Commerce Committee's oversight of
cyber threats and cybersecurity. This committee has
jurisdiction over a number of industries and sectors that have
long been the target of cyber attacks and espionage, including
the oil and gas industry, the electric utility industries, the
food services and pharmaceuticals industries, information
technology, telecommunications, and high-tech manufacturing.
Just last May, Vice Chair Blackburn convened a full committee
hearing to examine the mounting cyber threats to critical
infrastructure and efforts to protect against them.
Today we're going to focus on the damaging cost to U.S.
industry when the efforts of foreign nations and hackers to
steal U.S. technology and intellectual property are successful.
American innovation and intellectual property are the
foundations of our economy. Based on government estimates from
2010, intellectual property accounted for $5 trillion in value,
added to the U.S. economy are 34 percent of U.S. GDP. When
foreign nations are able to infiltrate networks and take our
technology and proprietary business information to benefit
their own companies, U.S. firms certainly lose their
competitive advantage. The IP Commission, on whose behalf we
welcome former Senator Slade Gorton's testimony this morning,
has translated the cost of these attacks into hard numbers.
As Chairman Murphy mentioned, this theft costs the U.S.
over 300 billion a year, over 2 million jobs that are lost. And
if our IP is being targeted, U.S. Jobs are being targeted, and
this has got to stop. I'm especially interested in learning
more from today's witnesses about the growing threat, how the
U.S. Government is combating it, and what American job creators
themselves can do to protect against the theft of their
intellectual property. We're going to continue our efforts to
protect our nation from the ever-growing cyber threat. It is an
issue that commands and demands our immediate attention. And I
yield the balance of my time to Ms. Blackburn.
[The prepared statement of Mr. Upton follows:]
Prepared statement of Hon. Fred Upton
Today's hearing continues the Energy & Commerce Committee's
oversight of cyber threats and cyber security. This committee
has jurisdiction over a number of industries and sectors that
have long been the target of cyber attacks and espionage,
including the oil and gas industry, the electric utility
industries, the food services and pharmaceuticals industries,
information technology and telecommunications, and hightech
manufacturing. Just last May, Vice Chairman Blackburn convened
a full committee hearing to examine the mounting cyber threats
to critical infrastructure and efforts to protect against them.
Today, we focus on the damage and costs to U.S. industry
when the efforts of foreign nations and hackers to steal U.S.
technology and intellectual property are successful. American
innovation and intellectual property are the foundations of our
economy. Based on government estimates from 2010, intellectual
property accounted for $5.06 trillion in value added to the
U.S. economy or 34.8 percent of U.S. GDP. When foreign nations
are able to infiltrate networks and take our technology and
proprietary business information to benefit their own
companies, U.S. firms lose their competitive advantage. The IP
Commission, on whose behalf we welcome former Senator Slade
Gorton's testimony this morning, has translated the costs of
these attacks into hard numbers: as Chairman Murphy mentioned,
this theft costs the United States over $300 billion a year,
and 2.1 million lost jobs. If our IP is being targeted, U.S.
jobs are being targeted, and this must stop.
I am especially interested in learning more from today's
witnesses about this growing threat; how the U.S. government is
combatting it; and what American job creators themselves can do
to protect against the theft of their intellectual property.
We will continue our efforts to protect our nation from the
ever-growing cyber threat. It is an issue that commands and
demands our immediate attention.
# # #
Mrs. Blackburn. I thank the chairman. I welcome each of
you. And as you can hear from the opening statements, we all
agree that every single employer in this country has the
potential of being harmed by cyber attacks. We realize that and
we know it is a problem that has to be addressed. And I thank
Chairman Murphy for calling the hearing today. Cyber espionage,
hacking, stealing trade secrets is an escalating activity, and
we need to put an end to this. I also believe that in
addressing our cyber security challenges, we need to expand the
scope of our efforts to address the related issue of IP theft.
As both Chairman Murphy and Upton have said, it is over $300
billion a year in what it costs our economy. And this is a cost
that becomes more expensive for us every year as the problem
grows.
Countries like China and Russia are engaging in wholesale
commercial espionage. They are intentionally taking advantage
of U.S. technology and creativity for their own competitive
advantages. It is an economic growth strategy for them, but
it's a jobs killer, a national security threat, and a privacy
nightmare for Americans. I've offered a discussion framework,
the Secure IT Act, that provides our Government, business
community, and citizens with the tools and resources needed to
protect us from those who wish us harm. It would help us
respond to those who want to steal our private information, it
better protects us from threats to both our Government systems
and to the private sector without imposing heavy-handed
regulations that would fail to solve these persistent, dynamic,
and constantly evolving changes that we are facing. With that,
I yield the balance of my time to Dr. Burgess.
Mr. Burgess. I thank the gentlewoman for yielding. I'll
submit my full statement to the record. I do want to address an
issue that may be a little bit outside the purview of the
panelists today. But, Mr. Chairman, I do hope we'll devote some
time to this at some point. Individuals, of course, have
limited liability; if our credit card numbers are stolen by a
bad actor or a criminal, there is a limit to the amount that
that fraudulent transfer can be. But that's not true for our
small businesses in this country. And I'm thinking particularly
of the doctor's office, the dentist's office, the CPA, the
small law firm who may have their--in fact, in health care,
we're required now to do electronic transfers for Medicare and
for other activities. There is no limit of liability to those
small practices. If their information is hacked and stolen, no,
it's not going to be by on sovereign nation, it's going to be
by a criminal. But, nevertheless, they are hacked and the
information is stolen. Sensitive patient data or customer data
then is retrieved by the bad actor.
I hope we will address at some point the ability to limit
the liability of those small practices when, in fact, they are
only doing what they have been required to do by the Federal
Government and the Medicare system.
Thank you, Mr. Chairman. I'll yield back the balance of the
time.
[The prepared statement of Mr. Burgess follows:]
Prepared statement of Hon. Michael C. Burgess
Thank you, Mr. Chairman.
One of the largest threats facing our nation today is that
of cyber-security and espionage from a variety of sources.
Indeed, top national security advisors have recently stated
that cyber-security was the number one danger to the United
States - even going so far as to supplant terrorism as a
greater threat.
The constant threat of cyber-security and espionage target
not just our nation's defenses, but also sensitive personal and
proprietary information. All kinds of American businesses are
targeted for their trade secrets, business plans and sensitive
data. And, unfortunately, many times, the bad actors are
successful.
This is a stark contrast from before where our state
secrets were only being targeted. Experts' estimate that the
annual private sector loss from cyber-attacks to be in the tens
of billions of dollars. In fact, NSA Director Gen. Keith
Alexander has stated that the stealing of U.S. private company
information and technology has resulted in the "greatest
transfer of wealth in history." To make matters worse, these
cyber-attacks seem to be only growing in number and many
predict that the intensity and number of attacks will increase
significantly throughout the coming years.
The importance of intellectual property in the U.S. economy
cannot be overstated. In 2010, IP accounted for $5 trillion in
value or 34% of U.S. GDP. IP also has accounted for over 60% of
all US exports and independently created tens of millions of
jobs. Needless to say, the interconnectivity between IP
protection and workforce security is paramount.
This hearing could not come at a more appropriate time.
Yesterday marked the first meeting of a U.S.-China cyber-
security working group. This is an important first step to
enable each side to share perspectives on pertinent laws and
norms in cyberspace. I hope that the outcome of this hearing,
as well as those discussions, will be to shed light on a
growing threat because the unwarranted and unprovoked theft of
U.S. private and public intellectual property has to stop.
Thank you, Mr. Chairman and I yield back.
Mr. Murphy. Gentleman yields back. Mr. Waxman recognized
for 5 minutes.
OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mr. Waxman. Thank you very much, Mr. Chairman. I am pleased
that we're here today to discuss the problem of cyber espionage
and theft of U.S. intellectual property. Cyber espionage
damages our economy and places national security at risk. The
threats posed by cyber espionage are growing, particularly from
foreign actors. Numerous reports have noted that the Chinese
government is the chief sponsor of hacking activity directed at
sensitive military information and lucrative corporate trade
secrets. The Department of Defense reported that in 2012,
computer systems including those owned by the U.S. Government
were targeted directly thousands of times by the Chinese
government and military. The New York Times reported that more
than 50 sensitive U.S. technologies and advanced weapons
systems, including the Patriot Missile System, had been
compromised by Chinese hackers.
The computer security consultant Mandiant reported over a
hundred instances of network intrusions affecting key
industries and industry leaders located in the United States
originating from one building in Shanghai. Even an iconic
American company, Coca-Cola, had key corporate documents
exposed by Chinese hackers, compromising a multi-billion dollar
acquisition. Thankfully, they did not get the formula. My ad
lib.
The White House recognizes the seriousness of the threat
and has been leading the response. Over the past 3 years, law
enforcement has significantly increased against infringement
that threatens our economy. Trade secret cases are up, DHS
seizures of infringing imports have increased, and FBI health-
and-safety-focused investigations are up over 300 percent. And
in February, President Obama signed an executive order to
strengthen the cyber security of our critical infrastructure
and direct DHS to share threat information with U.S.
businesses. And just last month, the administration released a
new strategic plan for intellectual property enforcement. But
the administration needs Congress's help, and we are not
delivering. Earlier this year, the House passed a Cyber
Intelligence and Sharing Protection Act. This is a flawed bill
that relies on a purely voluntary approach. It sets no
mandatory standards for industry, yet it would give companies
that share information with the government sweeping liability
protection. The legislation also fails to safeguard the
personal information of Internet users.
The bill is now pending in the Senate. I hope the Senate
comes up with an acceptable compromise. I want to pass a law
that improves our ability to prevent cyber attacks while
adequately protecting the privacy of individuals' data. Cyber
attacks jeopardize our economic and national security, they
threaten key defense technologies, they can impact basic
infrastructure like our power grid and traffic control systems,
and they can endanger innovation by America's leading
corporations. That's why we must have a comprehensive and
nimble strategy to mitigate against risks of cyber attacks. The
White House, the private sector, and Congress must each do its
part.
I look forward to hearing from our witnesses today about
what more we can do to address the serious threats posed by
cyber espionage. Thank you, Mr. Chairman. Yield back the
balance of my time.
Mr. Murphy. Gentleman yields back. Thank you.
And I already introduced the witnesses, so I don't need to
go through those again, but we thank them all for being here.
To the witnesses, you are aware that the committee is holding
an investigative hearing. When doing so, has a practice of
taking testimony under oath. Do you--any of you have any
concerns or objections to testifying under oath?
No. None, OK. Thank you.
The chair, then, advises you that under the rules of House
and the rules of committee, you are entitled to be advised by
counsel. Do any of you desire to be advised by counsel during
the testimony today?
All the witnesses indicate no.
In that case, if you'd all please rise, raise your right
hand, I'll swear you in.
[Witnesses sworn.]
Mr. Murphy. Thank you. All the witnesses indicated that
they do.
So you are now under oath and subject to the penalties set
forth in Title 18, Section 1001 of the United States Code.
You may now each give a 5-minute summary of your written
statement. We'll start with you, Senator Gorton. Welcome here.
You are recognized for 5 minutes.
STATEMENTS OF HON. SLADE GORTON, FORMER U.S. SENATOR FROM
WASHINGTON STATE, COMMISSION MEMBER, COMMISSION ON THE THEFT OF
AMERICAN INTELLECTUAL PROPERTY; LARRY M. WORTZEL, PH.D.,
COMMISSIONER, U.S.- CHINA ECONOMIC AND SECURITY REVIEW
COMMISSION; JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW,
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES; AND SUSAN OFFUTT, CHIEF ECONOMIST,
APPLIED RESEARCH AND METHODS, GOVERNMENT ACCOUNTABILITY OFFICE
STATEMENT OF HON. SLADE GORTON
Mr. Gorton. Mr. Chairman, Madam----
Mr. Murphy. Pull it close to you. These microphones in the
House are not as good as Senate ones.
Mr. Gorton [continuing]. Representative of the city in
which I grew up, I thank you for your greetings. I was a member
of the Intellectual Property Theft Commission, headed by former
Governor Jon Huntsman and former Admiral Dennis--Dennis Blair,
President Obama's first Director of National Intelligence. It
had three goals. The first was to chart the dimensions of the
intellectual property theft and their impact on the United
States.
Second, to separate the rather large part of that that
comes from the People's Republic of China. And, third, to make
recommendations to the administration and to the Congress about
what--what to do about it. Two of you have already pointed out
that we found a minimum of $300 million a year of losses to the
American economy through intellectual property theft,
representing a couple of million jobs. Just imagine what that
would do for us all by itself, without any of the debates which
have rocked--rocked this Congress.
I would say at the beginning that it isn't just cyber
enterprise, cyber theft. Cyber theft is a major part of
stealing trade secrets, but there's also a violation of
copyright and trademark protections and patent infringement.
For example, one software developer in the United States
reported to us that a few years ago, it sold one software
program in China for approximately $100. A year later, when
there was an automatic update available, it had 30 million
calls from China. 30 million to 1. That wasn't cyber
enterprise, that was just reverse engineering a piece of
software.
Now, China accounts for 50 to 80 percent of this
intellectual property loss. Much of which, maybe even most of
which is from private sector Chinese firms. But they are able
to do that because the sanctions in China for violations, even
when they are caught, are extremely small and rarely enforced.
Now, what that leads me to say is that while we--that every
one of the recommendations that we have made in this commission
report will help, they are primarily defensive in nature. And
it is clear that we need better defensive measures to deal with
cyber theft and other forms of intellectual property theft. But
I am convinced that that will never solve the problem on its
own. What we need to do is to come up with policy responses
that create interest groups in China and in the other violators
that value intellectual property protection. When there is a
major interest group in China that says this is hurting us
rather than helping us, we will have begun to solve the
problem. That's a very difficult challenge. A few of the
recommendations we make would make steps, appropriate steps in
that direction and we recommend them to you. But think from the
very beginning, how do we create an interest group that is on
our side in the countries that are engaged in this kind of
theft.
Our recommendations, including targeting for financial
factions, quick response measures for seizing intellectual
property-infringing goods at the border when they arrive, and
increasing support for the FBI, among others. Finally,I would
say that at the very end, in the last 2 pages of our report, we
list three other methods of dealing with this matter that
aren't our formal recommendations. They are all relatively
nuclear in nature. But we commend them to your very, very
careful study, each--because each of those carries with it the
ability to create that internal group in China itself that will
be on--will be on our side.
And with that, I'm at your disposal. The National Bureau of
Asian Research, which conducted this, is at your disposal. We
want to help you as much as we possibly can. We are convinced
that this is not a partisan issue by any stretch of the
imagination. And that this committee should be able to come up
with unanimous responses that will be of real impact.
Mr. Murphy. Thank you, Senator.
[The prepared statement of Mr. Gorton follows:]
[GRAPHIC] [TIFF OMITTED] 86391.001
[GRAPHIC] [TIFF OMITTED] 86391.002
[GRAPHIC] [TIFF OMITTED] 86391.003
Mr. Murphy. Dr. Wortzel, you are recognized for 5 minutes.
Please bring the microphone real close to your mouth so we can
hear. Thank you.
STATEMENT OF LARRY M. WORTZEL
Mr. Wortzel. Chairman Murphy, Ranking Member Schakowsky,
members of the subcommittee. I'll discuss the role of China's
government, its military and intelligence services, and its
industries and cyber espionage and the theft of U.S.
intellectual property. My testimony presents some of the U.S.-
China Economic and Security Review Commission's findings on
China's cyber espionage efforts, but the views I present today
are my own. In 2005, Time Magazine documented the penetration
of Department of Energy facilities by China in the Titan Rain
intrusion set. So this cyber espionage has been going on for
quite some time. China's using its advanced cyber capabilities
to conduct large-scale cyber espionage, and has, to date,
compromised a range of U.S. networks, including those of the
Department of Defense--Departments of Defense, State, Commerce,
and Energy, defense contractors, and private enterprises.
China's cyber espionage against the U.S. Government and our
defense industrial base poses a major threat to U.S. military
operations, the security of U.S. military personnel, our
critical infrastructure, and U.S. industries. China uses these
intrusions to fill gaps in its own research programs, to map
future targets, to gather intelligence on U.S. Strategies and
plans, to enable future military operations, to shorten
research and development timelines for new technologies, and to
identify vulnerabilities in U.S. systems.
In my view, it's helpful when government and industry
expose the intrusions and make the public aware of them.
Businesses unfortunately are reluctant to do so. China's cyber
espionage against U.S. commercial firms poses a significant
threat to U.S. business interests and competitiveness.
General Keith Alexander, Director of the National Security
Agency, assessed that the value of these losses is about $338
billion a year, although not all the losses are from China.
That's the equivalent of the cost of 27 Gerald R. Ford class
aircraft carriers. The Chinese government, military, and
intelligence agencies support these activities by providing
state-owned enterprises information extracted through cyber
espionage to improve their competitiveness, cut R&D timetables,
and reduces costs. The strong correlation between compromised
U.S. companies and those industries designated by Beijing as
strategic further indicate state sponsorship, direction, and
execution of China's cyber espionage.
Such governmental support for Chinese companies enables
them to out-compete U.S. companies, which do not have the
advantage of levering government intelligence data for
commercial gain. It also undermines confidence in the
reliability of U.S. brands. There's an urgent need for
Washington to compel Beijing to change its approach to
cyberspace and deter future Chinese cyber theft. My personal
view is that the President already has an effective tool in the
International Emergency Economic Power Enhancement Act. He
could declare that this massive cyber theft of intellectual
property represents an extraordinary threat to the national
security, foreign policy, and economy of the United States.
Under that declaration, the President, in consultation with
Congress, may investigate, regulate, and freeze transactions
and access as well as block imports and exports in order to
address the threat of cyber theft and espionage. The authority
has traditionally been used to combat terrorist organizations
and weapons proliferation, but there's no statutory prohibition
or limitation that prevents the President from applying it to
cyber espionage issues. If some version of Senate Bill 884
becomes law, it should be expanded to direct the State
Department to work with and encourage allied countries to
develop similar laws. I want to thank you for the opportunity
to appear today, and I'm happy to respond to any questions you
may have.
Mr. Murphy. Thank the gentleman.
[The prepared statement of Mr. Wortzel follows:]
[GRAPHIC] [TIFF OMITTED] 86391.004
[GRAPHIC] [TIFF OMITTED] 86391.005
[GRAPHIC] [TIFF OMITTED] 86391.006
[GRAPHIC] [TIFF OMITTED] 86391.007
[GRAPHIC] [TIFF OMITTED] 86391.008
[GRAPHIC] [TIFF OMITTED] 86391.009
[GRAPHIC] [TIFF OMITTED] 86391.010
[GRAPHIC] [TIFF OMITTED] 86391.011
[GRAPHIC] [TIFF OMITTED] 86391.012
[GRAPHIC] [TIFF OMITTED] 86391.013
[GRAPHIC] [TIFF OMITTED] 86391.014
[GRAPHIC] [TIFF OMITTED] 86391.015
[GRAPHIC] [TIFF OMITTED] 86391.016
[GRAPHIC] [TIFF OMITTED] 86391.017
[GRAPHIC] [TIFF OMITTED] 86391.018
[GRAPHIC] [TIFF OMITTED] 86391.019
Mr. Murphy. Mr. Lewis, you are recognized for 5 minutes.
STATEMENT OF JAMES A. LEWIS
Mr. Lewis. Thank you, chairman. And thank you for the
committee's opportunity to testify. I feel right at home, since
I was born in Pittsburgh and lived in Evanston. So it's good to
be back.
I should note that one of the things I do is lead track 2
discussions with government agencies in China. We've had eight
meetings that have included the PLA, the Ministry of State
Security, and others. Some of my testimony is based on this
not-public information. I'm going to discuss three issues: Why
China steals intellectual property, what the effects of this
are in the U.S. and China, and steps we can take to remedy the
problem.
Cyber espionage is so pervasive that it challenges
Beijing's ability to control it. Every Fortune 500 company in
the U.S. has been a target of Chinese hackers, in part because
American defenses are so feeble. Right? China has four motives
for cyber espionage: First, they have an overwhelming desire to
catch up and perhaps surpass the West. Second, they believe
that rapid economic growth is crucial for the party to maintain
its control. Third, they have no tradition of protecting
intellectual property. And, finally, some Chinese leaders fear
that their society has lost the ability to innovate and the
only way to compensate is to steal technology. China supports
its strategic industries and state-owned enterprises through
cyber espionage. For example, China's economic plans made clean
energy technology a priority, and the next thing that happened
was the clean energy companies in the U.S. and Germany became
targets.
China's economic espionage activities against the U.S. are
greater than the economic espionage activities of all other
countries combined. The effects, however, are not clear-cut
benefits for China. China often lacks the know-how and
marketing skills to turn stolen technology into competing
products. A dollar stolen does not mean a dollar gained for
China. This is not true for confidential business information,
which a director of an allied intelligence service once
described as normal business practice in China. So if you're
going to negotiate, if you're going for business, they will
steal your playbook; they will know your bottom line. This is
immense, immediate advantage. But cyber espionage also hurts
China. One of their goals is to become an innovative economy.
And they are unable to do this while they are dependent on
espionage. They also create immense hostility and suspicion in
their relations with many countries. The U.S. is not the only
victim.
Espionage is a routine practice among great powers. And no
one can object to espionage for military and political
purposes. What is unacceptable is espionage for purely
commercial purposes. Frustration with the lack of progress in
discussions with China have led to suggestions for sanctions or
retaliation. These are not in our interest. We don't want to
start a war with China, nor do we want to crash the Chinese
economy. Hacking back has little real effect and runs contrary
to U.S. law and international commitments.
Instead, we need a strategy with four elements. Sustained
high-level attention. This is going to take years. This is not
something we're going to fix in a couple of months. We need to
create public disincentives for the Chinese hacking, using
Treasury, visa laws, and perhaps FBI activities, Department of
Justice activities. We need closer coordination with our
allies, most of whom are not on the same page as us in this
matter. And, finally, we need improved cyber defenses to make
our companies stronger.
Last month, a U.N. Group that included the U.S. and China
said that international law and the principles of state
responsibility apply to cyberspace. This agreement provides a
foundation for rules on hacking. The best strategy, the one
that has the best chance of success, is to create with our
allies global standards for responsible behavior and then press
China to observe them. To use a favorite Chinese expression, we
want a win-win outcome rather than a zero-sum gain where only
one side can win.
Cyber espionage lies at the heart--the heart of the larger
issue of China's integration into the international system, and
at the heart of the efforts of the Chinese to modernize their
economy. This is a problem that has become one of the leading
issues in international relations. China's economic growth has
been of immense benefit to the world. But what was tolerable
when China was an emerging economy is no longer tolerable when
it is the world's second largest economy. I think we are on the
path to resolving this issue, but it is a path that will take
many years to complete. And I thank the committee for its
attention to this issue. I look forward to your questions.
Mr. Murphy. Thank you, Mr. Lewis.
[The prepared statement of Mr. Lewis follows:]
[GRAPHIC] [TIFF OMITTED] 86391.020
[GRAPHIC] [TIFF OMITTED] 86391.021
[GRAPHIC] [TIFF OMITTED] 86391.022
[GRAPHIC] [TIFF OMITTED] 86391.023
[GRAPHIC] [TIFF OMITTED] 86391.024
[GRAPHIC] [TIFF OMITTED] 86391.025
[GRAPHIC] [TIFF OMITTED] 86391.026
[GRAPHIC] [TIFF OMITTED] 86391.027
[GRAPHIC] [TIFF OMITTED] 86391.028
Mr. Murphy. And now Ms. Offutt. Am I pronouncing that
correctly? Thank you. You're recognized for 5 minutes.
STATEMENT OF SUSAN OFFUTT
Ms. Offutt. Thank you. Mr. Chairman, Ranking Member
Schakowsky, members of the subcommittee, thank you for the
opportunity to share our observations on the economic effects
of intellectual property theft and efforts to quantify the
impact of counterfeiting and piracy on the U.S. economy.
Intellectual property plays a significant role in the U.S.
economy, and the U.S. Is an acknowledged leader in its
creation. Intellectual property is any innovation, commercial
or artistic, or any unique name, symbol, logo, or design used
commercially. Cyberspace, where much business activity and the
development of new activities often take place, amplifies
potential threats by making it possible for malicious actors to
quickly steal and transfer massive quantities of data,
including intellectual property, while remaining anonymous and
difficult to detect. According to the FBI, intellectual
property theft is a growing threat, which is heightened by the
rise of the use of digital technologies. Digital products can
be reproduced at very low costs, and have the potential for
immediate delivery through the Internet across virtually
unlimited geographic markets. Cyber attacks are one way that
threat actors, whether they are nations, companies, or
criminals, can target intellectual property and other sensitive
information of Federal agencies and American businesses. While
we have not conducted an assessment of the economic impact of
cyber espionage, our work examining efforts to quantify the
economic impact of counterfeited and pirated goods on the U.S.
economy can provide insights on estimating economic losses.
Specifically, my testimony today addresses two topics:
First, the economic significance of intellectual property
protection and theft on the U.S. economy, and insights from
efforts to quantify the economic impacts of counterfeiting and
piracy on the U.S. economy. My remarks are based on two
products that GAO issued over the past 3 years, a 2010 report
on intellectual property, and 2012 testimony on cyber threats
and economic espionage.
As reported in 2010, intellectual property is an important
component of the U.S. economy. The U.S. economy and
intellectual-property-related industries contribute a
significant percentage to U.S. Gross domestic product. IP-
related industries also pay higher wages than other industries
and contribute to a higher standard of living in the United
States.
Ensuring the protection of intellectual property rights
encourages the introduction of innovative products and creative
works to the public. According to the experts we interviewed
and the literature we reviewed, counterfeiting and piracy have
produced a wide range of effects on consumers, industry,
government, and the aggregate national economy. For example,
the U.S. economy may grow more slowly because of reduced
innovation and loss of trade revenue. To the extent that
counterfeiting and piracy reduce investments in research and
development, companies may higher fewer workers and may
contribute less to U.S. economic growth overall.
Furthermore, as we reported in 2012, private sector
organizations have experienced data loss or theft, economic
loss, computer intrusions, and privacy breaches. For example,
in 2011, the media reported that computer hackers had broken
into and stolen proprietary information worth millions of
dollars from the networks of six U.S. And European energy
companies.
Generally, as we reported in 2010, the illicit nature of
counterfeiting and piracy makes estimating the economic impact
of intellectual property infringement extremely difficult.
Nonetheless, research in specific industries suggests the
problem is sizable, which is a particular concern, as many U.S.
industries are leaders in the creation of IP. Because of
difficulty in estimating the economic impacts of these
infringements, assumptions must be used to offset the lack of
data. Efforts to estimate losses involve assumptions, such as
the rate at which consumers would substitute counterfeit for
legitimate goods, and these assumptions can have enormous
impacts on the resulting estimates. Because of the significant
differences in types of counterfeit and pirated goods and
industries involved, no single method can be used to develop
estimates. Each method has limitations. And most experts
observe that it is difficult, if not impossible, to quantify
the economy-wide impacts. Mr. Chairman, Ranking Member
Schakowsky, other members of the committee, this is the end of
my statement. I'd be happy to answer questions.
Mr. Murphy. Thank you. I appreciate that.
[The prepared statement of Ms. Offutt follows:]
[GRAPHIC] [TIFF OMITTED] 86391.029
[GRAPHIC] [TIFF OMITTED] 86391.030
[GRAPHIC] [TIFF OMITTED] 86391.031
[GRAPHIC] [TIFF OMITTED] 86391.032
[GRAPHIC] [TIFF OMITTED] 86391.033
[GRAPHIC] [TIFF OMITTED] 86391.034
[GRAPHIC] [TIFF OMITTED] 86391.035
[GRAPHIC] [TIFF OMITTED] 86391.036
[GRAPHIC] [TIFF OMITTED] 86391.037
[GRAPHIC] [TIFF OMITTED] 86391.038
[GRAPHIC] [TIFF OMITTED] 86391.039
[GRAPHIC] [TIFF OMITTED] 86391.040
[GRAPHIC] [TIFF OMITTED] 86391.041
[GRAPHIC] [TIFF OMITTED] 86391.042
Mr. Murphy. Let me start off by asking Mr. Lewis, if a U.S.
company were to do these things to another U.S. company, hack
into their computers, replicate projects, steal blueprints, et
cetera, and basically make the same product, whatever it is,
what kind of penalties would that U.S. company incur when they
were caught, prosecuted?
Mr. Lewis. There are several sets of penalties. The first
is, of course, it could be liable to a lawsuit. We see lawsuits
over IP violations frequently. Right? And if it can be proven
in court, the damages can be substantial. Second, in some
cases, the Economic Espionage Act can be applied to any
company, U.S. or foreign, if they engage in this kind of
activity. Third, there are computer security laws that if
hacking occurs the company would be liable for that if it can
be proven. One of the differences between the U.S. and
countries like China and Russia is we have laws and we enforce
them. They either don't have laws and they certainly don't
enforce them. So in the U.S., you don't see as much of this if
anything comparable at all.
Mr. Gorton. In other words, there are both criminal and
civil penalties available in the United States.
Mr. Murphy. But not ones that we can impose upon foreign
nations when they do the same thing.
Let me follow up. Senator Gorton, and all of you, estimates
show that the IP assets alone represent 75 to 80 percent of the
S&P 500 market value, and the U.S. IP worth is at least $5
trillion, and licensing revenues for IP is estimated as 150
billion annually. So if cyber espionage is the biggest cyber
threat America faces today, what really is at stake if we fail
to act on it?
Mr. Gorton. I'm sorry. I missed the last part.
Mr. Murphy. So if cyber espionage is the biggest cyber
threat America faces today, what really is at stake if we fail
to act on it?
Mr. Gorton. What's at stake is, first, others have
testified to this, when it relates the our national defense,
our very national security is at stake. When it can be measured
by dollars, because that deals with civil, it is the $300
billion-plus losses that we found. And I must say, when we
began this work, we found ourselves really sailing on uncharted
seas. We didn't have a whole lot of earlier commissions that
had worked on this. And our research was, to a certain extent,
original.
Some people in the private sector didn't want to cooperate
with us and were afraid of what would happen to them, sanctions
that would be taken against them by China and the like. So I
think that $300 billion-plus is a conservative estimate. The 2
million job loss comes from other sources. But between those
two figures, that's what it's costing us.
Mr. Murphy. And Dr. Wortzel, on that issue, too, and let me
address this as well. What kind of protections are we missing
here? And, of course, this also relates to the discussions
taking place while Chinese delegation is in Washington today.
But let's say, first of all, what kind of protections should we
be dealing with in Congress? I know I read some things in your
report. What would you add to that?
Mr. Wortzel. China's goal in the dialogues right now is to
limit all access to the Internet for domestic security. So I
think we can sort of leave them out of the equation. But I
think the ability to link attribution and detection to criminal
penalties, including arrest warrants, including limitations on
travel, will really affect Chinese companies, Chinese leaders,
and even individual actors. The Mandiant report identified, I
think, four people by name showed who they are dating, showed
what kind of car they drive. If that type of information was
taken to a FISA court or some other court, an open court, and
arrest warrants were issued, those people couldn't travel to
the United States. And that would deter this.
Mr. Murphy. Ms. Offutt, I have a question for you. So if
you were advising the President and his staff this week as they
are talking with the Chinese delegation in town what to push
for, what would you say?
Ms. Offutt. The work that GAO has done on intellectual
property also involves the evaluation of cyber threats and
measures that can be taken in order to combat them. This is not
an area as chief economist that I'm competent to talk about at
length. But we have made recommendations about the adoption of
measures at the firm level, for example, that involve people,
processes, and software measures that can be taken to defend
against any intrusions.
Mr. Murphy. Thank you. I see my time is up, so I now go Ms.
Schakowsky for 5 minutes.
Ms. Schakowsky. Thank you, Mr. Chairman. I just wanted to
respond to comments that you made that the White House or the
administration didn't decline--that declined to have any
witness. Apparently, they suggested other administration
witnesses than those who were unable because of scheduling
reasons to come. And I just wanted to make that point.
Mr. Lewis, you wrote in your written testimony, ``we need
to recognize that many companies have not paid serious
attention to securing their networks. There is no obvious
incentive for them to do so.''
How could that be?
Mr. Lewis. There's not a lot of work on this. And what we
know is probably about 80 to 90 percent of the successful cyber
attacks against U.S. Companies only involve the most basic
techniques. I used to look for Chinese super cyber warriors.
They don't need super cyber warriors, they need a guy in a tee
shirt who is going to overcome the truly feeble defenses. And
some of it is companies don't want to spend the money. Some of
it is----
Ms. Schakowsky. Aren't all the super cyber warriors just
wearing tee shirts anyway?
Mr. Lewis. We have pictures of some of them, which is aid
in attribution issue. Sometimes companies spend money on the
wrong stuff. And sometimes they don't want to know; it can
affect their stock price, it may incur stockholder liability.
So there's a whole set of incentives. It varies from sector to
sector.
The banks do a tremendous job. And it's interesting to note
that despite the fact that the banks do a tremendous job, they
were largely overcome by Iranian cyber attacks over the last 6
months. Power companies, very uneven. There's three power
companies in the Washington area. One does a great job, one
does a terrible job. You know, it varies widely. We don't have
a common standard. And there isn't a business model.
Now, this is beginning to change as CEOs realize the risk.
But we are very far behind when it comes to corporate
protection.
Ms. Schakowsky. Thank you. Dr. Wortzel, we--our government
as a whole relies on--heavily on contractors. And that's
especially true in the national security realm. Large projects
rely on dozens of private sector contractors, layer upon layer
of subcontractors, technology supply chains for military
hardware are enormous. So how do we address the unique cyber
security risks posed by long contracting and supply chains?
Mr. Wortzel. Well, I think our supply chain has really big
vulnerabilities. And the Commission has tried to look into this
on major systems like the Osprey, the F-22, and a class of
destroyers. And the Department of Defense could not go beyond
the second tier in the supply chain. They don't know where this
stuff is sourced from. So that's a huge problem.
The companies, in my opinion, that are in the defense
industrial security program are getting good support from the
Defense Security Service. They get regular visits. They get
support from the Defense Security Service and the FBI on their
cyber protections and their defenses. And it's not a perfect
program, obviously, or we wouldn't have lost all that F-35
data. I think it's gotten a lot better. I think the FBI and the
Department of Defense are--and the National Security Agency are
doing a better job on intrusion monitoring for clear defense
contractors.
Ms. Schakowsky. Let me ask you about the pipeline sector
which has been considered vulnerable to cyber attacks. And
anyone can answer that. Dr. Wortzel or Dr. Lewis.
Mr. Wortzel. Well, our critical infrastructure, pipelines,
are targeted by the Chinese military in case of a conflict. And
those are private companies, run by private companies for the
most part. And there simply is no legislation that would
require those companies to maintain a set standard of security.
And I think that's a huge vulnerability that has to be
addressed.
Mr. Lewis. You want to think about two sets of actors. The
Chinese and the Russians have done their recognizance; they
could launch attacks if we got in a war with them. But they're
grown-up great powers. They are not going to just start a war
for fun. On critical infrastructure, the greatest risk comes
from Iran. Iran has significantly increased its capabilities,
and they also are doing recognizance and targeting critical
infrastructure, including pipelines. And so the Iranian
Revolutionary Guard worries me more in this aspect than the
PLA.
Ms. Schakowsky. Thank you. I yield back.
Mr. Murphy. Thank you. Now recognize the vice chair of the
full committee, Ms. Blackburn, for 5 minutes.
Mrs. Blackburn. Thank you all. And your testimony is
absolutely fascinating. And I appreciate your time being here.
I've got a couple of questions. Hope I can get through all of
them.
Senator Gorton, I want to start with you. I appreciate so
much what you said about having a major interest group in China
that wants to join us in these efforts for IP protection and
fighting the theft. I think that indigenous industry that feels
as if they are worth being protected would be important. I
appreciate that you have brought forward some recommendations.
And I want to know if you think there is anything that ought to
be the first--the first salvo, if you will. What would be the
very first step? Because we're in the tank on this. They've got
a head start. This has become, as I said in my opening remarks,
their economic development plan to reverse engineer and distill
this IP theft. And we've got to put a stop to that. So item
number 1, if you were to prioritize these recommendations, what
should be first out of the gate for us?
Mr. Gorton. Thank you very much for that question. I was
trying figure out how to answer it before you asked it. I think
from the point of view of this committee, what might be the
easiest and most appropriate first step would be to put one
person, one office in charge. Our recommendation is that that
be the Secretary of Commerce. That everything related to cyber
security other than defense go through the Secretary of
Commerce. That's where you'll begin to get control of those
$300 billion and those 2 million jobs.
Even the response that you've received here today is there
are all kinds of people in the administration, who is going to
come and speak for them? There isn't one focal point. But if
you make that focal point to the Secretary of Commerce, who
does respond to you, I think it would be a major step forward.
Mrs. Blackburn. And I would imagine that you would
recommend having that one person but with appropriate
Congressional oversight and appropriate sunsets and all of
that.
Mr. Gorton. Absolutely. And you are that oversight.
Ms. Blackburn. I appreciate that affirmation. So I thank
you for that.
Mr. Wortzel, did you see The Washington Post this morning?
The cover story, ``Regimes Web Tools Made in the USA''?
Mr. Wortzel. I did not.
Ms. Blackburn. I would just commend it to each of you to
review. You're generous to give us your time this morning.
But let me ask you this, come to you with this question,
since you're doing so much work in that U.S.-China
relationship. And the problem there is significant. And we know
that it bleeds over into Russia and then as you mentioned some
of the other countries that are even less friendly to us.
So China has significant restrictions on the Internet and
on Internet usage by the citizens and the population there. So
if we were to establish rules of the road, if you will, for how
we were going to respect the transfer of property, et cetera,
over the Internet, how are we going to do this so that--with a
country where our understanding of freedoms and our
understanding of usage are so inherently and basically
different.
Mr. Wortzel. I don't think you can. My experience with
China is they will steal and reverse engineer anything they can
get their hands on. And I've been dealing with them full-time
since about 1970. In the middle of their industries and
delivering defense products to them. I think you really have to
understand that the goal, and Jim outlined it nicely, the goal
of Chinese Communist Party is to grow the economy, stay in
power, and advance itself technologically. And most of the
industries are state-owned or municipally-owned and directed by
the government and aided by the intelligence services.
Mrs. Blackburn. Mr. Lewis, do you want to add anything to
that?
Mr. Lewis. Sure. I'm a little more positive. And I don't
have Larry's long experience; I've only been negotiating with
the Chinese since 1992. And we began negotiating with them on
the issue of proliferation. And the Chinese used to be among
the major proliferators in the world. And you can put together
a package of measures that include sanctions, support from
allies, direct negotiations with them. That can get them to
change their behavior. So I'm confident that we can, if we keep
a sustained effort in place, get them to act differently. And
in part, it's because they know they're caught. They want to be
a dynamic modern economy. You can't do that when you're
dependent on stealing technology. They have a big
contradiction. And we can sort of help them make the right
decision.
Mrs. Blackburn. My time has expired. I have other
questions, but I will submit those for the record.
Mr. Murphy. I thank the gentlelady. I now recognize Dr.
Burgess for 5 minutes.
Mr. Burgess. Thank you, Mr. Chairman. And, yes, it is
fascinating topic. I do have a number of questions, and I will
have to submit, obviously, some of those for the record to be
answered in writing.
But Dr. Wortzel and Mr. Lewis, when you heard my comments
at the opening--yes, we're all concerned about sovereign spying
and cyber security from a sovereign standpoint. Big businesses
are concerned. Coca-Cola is smart not to put their formula on a
network; that way, it's not available for theft. But what about
the legions of small businesses out there? You had heard my
comments in my opening statement. I'm concerned about the
protection that they have or that they don't have from a
liability perspective. So I guess, Mr. Lewis, my first question
is to you. What--what can the small businesses do to improve
their ability to prevent, identify, and mitigate the
consequences of a successful compromise?
Mr. Lewis. This is a major problem, because the small
businesses are very often the most creative and the most
innovative, and so we have to find ways to protect them.
There's a couple of approaches that might be successful. NIST,
as I think some of you said, is developing a cybersecurity
framework. They are not allowed to use the word ``standard,''
so they said framework, but if the framework comes out in a
good place, it will lay out measures that any company can take
to make their defenses better. We know how to do cybersecurity.
We just don't have anybody really pushing that measure, and you
can tell companies what to do. Hopefully NIST will do that.
The second one, and this relates to something that----
Mr. Burgess. Let me stop you there and just ask you a
question. Maybe you can tell companies what to do, so you are
referring to Congress could legislate or mandate an activity
that a company would have to do?
Mr. Lewis. Let me give you an example which is, the people
who are actually in the lead on this, in part because they
enjoy so much attention from China, might be the Australians.
So the Australian Department of Justice Attorney General, came
up with a set of 35 strategies developed by their signals
intelligence agency, and said, if you put these strategies in
place, we will see a significant reduction in successful
attacks. The Australians told me it was 85 percent reduction,
and I said I don't believe it. So they let me go and talk to
some of the ministries that tried it. They told me 85 is wrong;
it is actually higher. That is now mandatory for government
agencies in Australia. You can do this if you are a company. It
is pretty basic stuff.
Mr. Burgess. Now, are you at liberty to share that
information with the committee so you could make that----
Mr. Lewis. Oh, sure. I will definitely pass that along.
Mr. Burgess. Thank you.
Mr. Lewis. The second one, and this relates to I think
something Larry said, is you can make the ISPs do a better job
of protecting their customers. And they might want to do that
for business reasons. Some of them already do, like AT&T or
Verizon. But the ISP will see all of the traffic coming into
the little company. They can take action before it reaches its
target. So there's two things you could do that would make the
world a better place.
Mr. Burgess. And again, my comments during the opening
statement, I'm concerned particularly for the small physician's
office, the dentist's office, where there may be significant
personal data put on a network as required now for electronic
billing, and electronic prescribing that is now required of
those offices. And yet, we provide no liability protection if
one of those offices is hit with an attack.
It hasn't been a big story yet, but it is going to happen.
We all know that it is going to happen. We had a dentist in
Plano, Texas not too far away from the district that I
represent, who lost a significant amount of personal data to
some type of criminal attack in the cyberspace. I think we all
know not to open the email from the Nigerian king who died and
left you money in his will. But a lot of these attacks are
sophisticated. Yes, it is small-potato stuff, but it's a lot of
our businesses that can be affected.
Dr. Wortzel, do you have some thoughts about that?
Mr. Wortzel. Mr. Burgess, I live in the first district of
Virginia, Williamsburg, Mr. Whitman's district. Today in my
district, the FBI is running a big seminar for all businesses
and interested people on exactly this question. So the
government is doing some things. I have to say that one of the
positive areas of our dealings with China, is in bilateral
cooperation on credit card and bank crime. So when it comes to
the type of theft you are talking about, I think that between
the Department of Treasury, and the FBI's legal attaches, you
would see some progress.
Mr. Burgess. Can I just ask you a question on that? Because
that----
Mr. Wortzel. Pardon me?
Mr. Burgess. Can I ask you a question on that, because that
does come up with some of our community banks. And they are
sort of like the end user. They are the target organ, but
really, it is the larger bank that deals with the offshore
transaction that likely should have caught that activity, but
it is always the smaller community bank that is then punished
for having lost those funds for their--for their customer. So
is there a way to actually involve the larger offshore banks
that are doing these offshore transactions?
Mr. Wortzel. I'm afraid, I do not know the answer to that.
Mr. Burgess. OK. If you can look into that and get back
with us with some more information because that comes up all
the time.
Mr. Wortzel. I will do that. And I think the final thing I
would say is, some of the equipment and programs that would
protect small business are pretty expensive, $50,000 for a
special monitoring router. But a group of businesses in an area
could get together, share the cost of something like that, and
mitigate these concerns.
Mr. Burgess. Yes, if the Federal Trade Commission will let
them. Thank you very much, Mr. Chairman.
Mr. Murphy. The gentleman's time is expired. I now
recognize the gentleman from Texas, Mr. Green, for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. China plays a key role
in cyber attacks against the United States. Of course, we have
heard it recently because of some of our citizens going to
China. Credible reports have noted that China has a government-
sponsored strategy to steal American intellectual property in
order to gain strategic advantage, and that Chinese military
has been actively trying to steal military technology.
Dr. Wortzel, can you explain why China is, far and away,
the number one perpetrator of these attacks and what is the
history here and how long has this been going on?
Mr. Wortzel. Well, the first really open documentation of
it, Mr. Green, was the report, three series of reports by TIME
Magazine, the Titan Rain penetrations. Now, the poor guy that
went to the government and said this is going on, and
pinpointed it to China, got frustrated because there wasn't a
government response. He leaked it to TIME Magazine, he lost his
security clearance and his job. So the government has got to
acknowledge that this is happening.
Mr. Green. Yes.
Mr. Wortzel. And it really owes it to the citizens to do
this. But I think it is important to understand that the third
department, the signals intelligence department of the People's
Liberation Army and the fourth department, the electronic
warfare and electronic countermeasures department work
together. The third department alone has 12 operational bureaus
looking at strategic cyber, and signals, three research
institutes, four operational center, and 16 brigades with
operational forces. And that about half that number that--are
the people that do the door kicking and penetrate in the fourth
department. That leaves out the Ministry of State Security.
That leaves out 54 state-controlled science and technology
parks, each of which are given specific strategic goals by the
Chinese government, and Chinese Communist Party to develop
different technologies. So we just face a huge threat. And
that's why I'm a little more pessimistic than Jim in solving
it.
Mr. Green. Mr. Lewis, do you have anything to add to that?
Mr. Lewis. The Chinese economic espionage began in the late
1970s with opening to the west. It has been part of their
economic planning since then. What happened at the end of the
1990s, was that the Chinese discovered the Internet, discovered
it is a lot easier to hack than to cart off a whole machine
tool or something. And so this has been going on for over 30
years. It is a normal policy for them. I'm a little more
optimistic though. You can get them to change if you put the
right set of pressure and pressure points on them.
Mr. Wortzel. I will give you two examples, if I may. I
delivered as the Assistant Army Attache, a U.S. Army artillery-
locating radar to the Chinese military. And I noticed that I
began to get orders, or requests for resupply of certain parts.
And the radars were supposed to be down on the Vietnam border.
So I went to the Thai Army, the U.S. attache in Thailand and
said, hey, are these parts failing in your equipment, same
rough environmental problem? And they had a zero failure rate.
So within 4 months, they had reverse engineered these radars,
and what they couldn't build, they kept saying they had part
failures so they would get parts and try and reverse engineer
those.
Another time after the Tiananmen massacre in '89, another
attache and I were out in Shandong Province and we had a down
day, and we asked to visit a PLA, People's Liberation Army
radio factory. And sure, they said come in. Things were still
in pretty good shape between the U.S. military and the Chinese,
and they showed us their research and development shop for new
radios and cell phones. And they were literally disassembling
and copying Nokia cell phones, and Japanese radios. So it is a
long tradition there. It goes back to 1858 and the self-
strengthening movement when they went out, bought and copied
the best weapons and naval propulsion systems in the world. Of
course, they got beaten by the Japanese in 1895, and that put
an end to that.
Mr. Green. Well, the Chinese government officially denies
they conduct cyber espionage, and what evidence is there that
the country is behind many of these attacks outside of your
vigil there at the PLA?
Mr. Wortzel. Well, I think the Mandiant Report did an
excellent job. I think that the director of the National
Security Agency, and the National Counterintelligence Executive
have provided a great deal of evidence on attribution, as has
the FBI.
Mr. Lewis. There is a classified report put out by the
Director of National Intelligence that probably has not been
made available to the committee. You might want to ask for it.
Mr. Green. OK.
Mr. Lewis. I will give you an example from these talks we
had with the Chinese. We spend an entire day talking about
economic espionage. And at the end of it--including the
Economic Espionage Act. At the end of it, a PLA senior colonel
said to us, look, in the U.S. military espionage is heroic and
economic espionage is a crime, but in China, the line is not so
clear. So one of the things we can do is make the line a little
clearer to them.
Mr. Green. Thank you, Mr. Chairman.
Mr. Murphy. The gentleman yields back. The chair will now
recognize Mr. Johnson from Ohio for 5 minutes.
Mr. Johnson. Thank you, Mr. Chairman, and I appreciate so
much the opportunity to hear from the panel today. I spent
nearly 30 years in information technology in the Air Force and
in the private sector before coming to Congress. And I know
that this is a tremendously complex and concerning issue
because computing technology, at its very base, is not that
complicated. It's ones and zeros. And for malicious nations
like China and others who understand how to manipulate ones and
zeros, this is not going to be an issue that we can solve today
and then put it on the shelf and come back and look at it 5
years from now, and upgrade it and that kind of thing. This is
going to be a daily, daily obligation to protect not only our
national security, but our industries, and our businesses
across the country.
So I'd like to ask just a--just a few questions. Dr. Lewis,
in your testimony, you stated that it would be easier for China
to give up commercial espionage if the cost of penetrating
business networks is increased and the return from those
penetrations are minimized. How, given the ease with which this
can be done by computer practitioners, how can we increase the
cost to China that will dissuade them?
Mr. Lewis. We can make it a little harder for them, and
since you are familiar with the information technology, and
probably all of you have done this with consumer goods, when
you buy something, the user name is ``admin,'' and the password
is ``password.'' And what we found repeatedly through research
at both government agencies and corporations, is that people
forget to change, right, so they leave the password as
``password.'' And you know what, it doesn't take a mastermind
to hack into a system if the password is ``password.'' There
are other things you can do.
You can restrict the number of people who have
administrator privileges. If you look at Snowden for example,
he had administrator privileges and that let him tromp all
around the networks he was responsible for and collect
information. You shouldn't let that happen. You can make
passwords a little more complex. If passwords are your dog's
name, or any of your first cars, or something like that, the
people who do this for a living can usually guess that in under
2 minutes. Right, it is not----
Mr. Johnson. There are algorithms out there that will
figure out passwords, so I'm not sure password security is
going to solve the problems of a nation state like China.
Mr. Lewis. And that's why we need to move away from
passwords, and I hope that the NIST standards recognize that
passwords failed more than a decade ago; we need to do
something else. There are a number of small steps that can make
it harder. Right now it is so easy to get into most networks
that there is really little cost for the hacker. He doesn't
have to put a lot of effort in.
Mr. Johnson. Sure, Senator Gorton, I was positively
intrigued by your comment that there needs to be one agency, or
one person in charge. And I really believe that that has merit.
I'm not sure who it should be. I haven't given that a whole lot
of thought, but I certainly agree that there needs to be
someone at the cabinet level that is responsible and
accountable for overseeing this effort.
Your report outlines a number of policy solutions that aim
to address the loss of our intellectual property and
technology. So kind of continuing along the lines of what you
said earlier, is the government properly equipped to enforce
the IP rights against foreign companies and countries, or are
we too fractionalized to properly deal with the issue? And I
submit, and you know, I admit full up, you know, even--even
CEOs of companies today, their eyes glaze over when you start
talking about information technology in its core application,
because it's a complex environment.
Do we have the right people? Do we have the right skill
sets? Do we have the right focus to try and address this?
Mr. Gorton. Well, we are decentralized, and I think it is
very important that we--that we do create responsibility at,
you know, at one place to the maximum possible extent. I would
add to Mr. Lewis's,one of the recommendations we make, is to
make it easier to seize goods that violate--that have
violations of intellectual property when they arrive in the
United States. A few years ago, we made it somewhat easier to
go to court and to get seizures. It's nowhere near easy enough.
And one of our principal recommendations is to allow on any
kind of probable cause the temporary seizure of those goods
when they arrive, and then get to court, and deal with it
afterwards. So to a certain extent, it is a lack of
decentralization. To a certain extent it does require tougher
laws.
Mr. Johnson. Yes. Well, my time is expired. I had much more
I wanted to talk about, but maybe we will get to that another
time. Thank you, Mr. Chairman, I yield back.
Mr. Murphy. The gentleman yields back. The chair will now
recognize Mr. Tonko from New York for 5 minutes.
Mr. Tonko. Thank you, Mr. Chair. Ms. Offutt, do you agree
with the IP Commission's assessment of the value of the loss of
intellectual property?
Ms. Offutt. The work that we did suggests that an estimate
like that, that's based on the application of a rule of thumb
about the proportion of an industry's output that is vulnerable
to or lost to intellectual property theft, is not reliable.
There's certainly no way to look across all of the diverse
sectors of the economy and suggest that the theft is
characterized in any particular way that would be common to all
of them.
So the estimate that has gained currency, certainly in
discussions, is, in our view, not credible. It's based on
first, the notion that one-third of the economy's output comes
from intellectual property-intensive industries. That means,
essentially, companies that have a lot of patents, trademarks,
copyrighting, that probably tells you what is at risk. But the
application of the rule of thumb, which is 6 percent of that
output being lost, we don't find any basis for believing that
to be an accurate number.
Mr. Tonko. Thank you, and while I understand the cost of IP
theft is difficult to quantify, it has been suggested that the
theft costs us over $300 billion annually in losses to the U.S.
economy. I would like to try to further distinguish the types
of IP theft. The Mandiant Report from February traced Chinese
government support for cyberattacks. The Defense Department's
2013 report to Congress on China explicitly mentions Russia's
concerns about IP protection and how they will affect the types
of advanced arms and technologies it is willing to transfer to
China. So clearly, even Russia is concerned about Chinese
state-sponsored IP theft. Can any of you as witnesses discuss
the extent of state-sponsored IP theft?
Mr. Lewis. In China, or globally?
Mr. Tonko. Globally, or if you want to do both, that would
be fine.
Mr. Lewis. Both Russia and China have very tight control,
very tight links to--between the government, and the hackers. I
think that China is more decentralized, and one of the problems
they will have in getting it under control is that, you know,
regional PLA organizations, regional political organizations
engage in independent action, right, not necessarily alerting
Beijing to what they are doing. So it is a more decentralized
system, and I think that the Chinese will have difficulty
controlling it.
In contrast, Russia is--appears to be very tightly
centralized. All activities are controlled by the FSB. The
Russians have a tremendous domestic surveillance capability, it
is called SORM, SORM-2, in fact, that allows them to know what
everyone is doing on the Internet. And so if you are a hacker
and you are playing ball in Russia, you have to go along with
what the FSB wants you to do.
Mr. Tonko. Anyone else on that topic?
Mr. Wortzel. Well, I think it's important to understand
that in China, if they want to track down five religious people
praying in a house church with unauthorized Bibles, they can do
it. It's a pretty security-intrusive place. And if they wanted
to track--if somebody gets on the Internet and is engaging in a
form of political protest, they will get them and they will be
in jail. So they can do what they want to do. They have that
capacity. It's just that the state policy is, get this
technology, so they don't bother with them.
I would also like to suggest, if I may, that there are ways
we can make things harder. I mean, you can--you can encode a
digital signal in a file and attach that as you would a patent,
copyright, or trademark, and a company that's developing a
technology could do that, and then if you find that
technology--if you find that code appearing elsewhere in
China's, or Russia's control technologies, you could take legal
action just as you would for a patent, copyright, or trademark.
I am not quite sure that our intellectual property laws are up
to that yet, but could you do that.
Mr. Tonko. Just quickly when you look at the state-
supported effort for IP theft, and contrast that with
individuals in criminal networks, what do you think the
percentage breakdown would be if you had to guess at it?
Mr. Lewis. In Russia, and China, I don't think there are
any independent actors. I think that the degree of control that
the government agencies exercise is--it is not like they are
telling them this is what you have to do, but the criminals are
appendages of the state, or they are tolerated by the state and
in some cases they are directed by the state. So it is a
different system over there, and I think that the degree of
independent action is very, very limited.
Mr. Gorton. In India you might find a good deal of
independent action.
Mr. Tonko. OK, thank you, Senator. With that I yield back,
Mr. Chair.
Mr. Murphy. The gentleman yield back. I will now recognize
myself for 5 minutes of questions, and Senator Gorton, I would
like to follow up on your idea of what would be best if you had
one person who was responsible for overseeing all this. And I
know that others have discussed that, and I would also like to
ask you if you know that Victoria Espinel is the U.S.
Intellectual Property Enforcement Coordinator approved by the
U.S. Senate in 2009 in charge of the Obama administration's
overall strategy for enforcement of intellectual property
rights. Is that someone that you think would be helpful? She
was invited and declined our invitation to attend today, but is
that what you and Mr. Lewis, and others have in mind?
Mr. Gorton. I would like to know what she would have said.
Mr. Murphy. Same here. If I could ask you, Senator, as we
look around the world and see what is going on, what we are
having to combat here, do any other countries stand out as one
that is perhaps doing it right, doing a significantly
appropriate job on this?
Mr. Gorton. I don't think so, but that wasn't something
that was a central point of our investigation.
Mr. Murphy. OK.
Mr. Gorton. We were interested in what we did here. And Mr.
Chairman, may I apologize? I didn't realize it would last so
long. I have a noon date over on the Senate side that I'm going
to have to leave now.
Mr. Murphy. And we thank you for your time, and we
certainly excuse you in light of that.
Mr. Gorton. And I thank you. This is a vitally important
mission on your part. And to take real action to protect our
intellectual property will be a great service to the country.
Mr. Murphy. And if anyone has any additional questions
after your departure, we will see that they are submitted to
you in writing. Thank you very much, Senator, for your time.
All right, if I may ask you, Dr. Lewis. In your testimony,
you said that it would be easier for China to give up
commercial espionage as the cost of penetrating business
networks is increased, and the returns from those penetrations
are minimized. And I know we discussed that some, but would you
give us some examples, or how you think we can increase the
cost to China from commercial espionage?
Mr. Lewis. Sure, and just to briefly respond to your
question to Senator Gorton, the U.K., France, and Russia all
have pretty effective programs in place. They are not
watertight, but they are further along than we are. And some of
it is different constitutional arrangements. The Australians
have made some progress. If it's any consolation, people who
are doing a worse job than us are the Chinese. They are in
terrible shape when it comes to defense, and they remind me of
that all the time. I think what we need to do, it is not enough
of a consolation, but it is better than nothing, right? We need
to find ways to get companies to harden their networks. And
that involves identifying practices that would make the
networks more difficult to penetrate and control. There are an
identified set of practices. Hopefully NIST will encapsulate
them. We need to think about better ways to share threat
information. I know CISPA has attracted mixed review, the
Cybersecurity Information Sharing Protection Act. We need some
vehicle to let companies and government share information
better on threats. That can be relatively effective.
Finally, I'm a little surprised to hear commerce held up as
the place you would want to coordinate. We do have a policy
coordinator in the White House. She is doing a pretty good job.
But the place where we have not done enough as a Nation is
thinking about the role of the Department of Defense, and
defending our network. And it is a bit of a sensitive topic at
this time. You know, it's not the exact moment to come up and
say we should give NSA a little more responsibility, but they
do have capabilities that we are not taking full advantage of.
Mr. Murphy. At this time, I will yield back and recognize
the gentleman from Texas, Mr. Olson, for 5 minutes of
questions.
Mr. Olson. Thank you, Mr. Chairman, and I want to thank the
witnesses for being here this morning. Senator Gorton left, so
I can't talk about being through Evansville, Indiana. But, Mr.
Lewis, I have been in Pittsburgh, and I have seen a great side
of injustice and theft. As you know, I'm talking about the 1980
AFC championship game in which Mike Renfro from the Houston
Oilers scored a touchdown that the refs disallowed. But turning
to other thefts, as we heard from all of you, state-sponsored
terrorism, cyber espionage, is having a devastating effect on
the American economy and the competitiveness of American
companies. And the energy industry, important in my home state
of Texas, is particularly vulnerable to cyberattacks. These
attacks come in two forms, as you all know. One type is where a
malicious actor could disrupt the physical operations by
hacking into the industrial control systems which are used to
control everything from the power grids to pipelines. The other
cybersecurity threat to the energy industry, which is what this
hearing is focused on, is the theft of intellectual property
and proprietary information through cyber espionage. And the
most malicious of these hackers are nation states, North Korea,
Iran, Russia, and China.
My question will focus on China this morning. Over the past
couple of years, there have been several news reports of major
American oil and gas companies being targeted by Chinese
hackers. And yes, despite official denials we have been able to
trace these attacks back to China. And some of these companies
are headquartered in my hometown of Houston, Texas. The hackers
are looking for, as you all know, sensitive information, such
as long-term strategic plans, geological data showing locations
of oil and gas reserves; even information on the bids for new
drilling acreage.
This type of information is worth billions of dollars,
Senator Gorton's committee, $300 billion in lost revenue for
Americans. This disclosure can severely hurt a company's
competitiveness. My first question for you, Dr. Wortzel, would
you say that energy is a strategic industry in the eyes of the
Chinese government?
Mr. Wortzel. It is absolutely a strategic industry, and
they gather that business intelligence, the state does, for a
couple of reasons. First of all, they are looking for
technology because in some areas they are behind. Second, they
are beginning to invest here. So they want to know where to
invest. They want to know where they are going to get the most
money for their investment, and where they can extract the most
technology.
Now, with respect--I think it is also important to remember
that any time a critical, or a control system is penetrated, or
a computer system is penetrated, it is also mapped. So it's
only in terms--in time of conflict that that penetration may be
used for a critical infrastructure attack because that would be
an act of war. But the damage is done, and they know what to
do.
Mr. Olson. Yes, sir, and I know they have invested billions
of dollars in the Eagle Ford shale play with American partners,
and I suspect they are trying to get that technology, some of
the drill bit technology, other things, hydraulic fracturing
because they have shale plays in Western China. It's a very
difficult terrain out there, different, you know, different
geological structures, but it is pretty clear to me that they
are involved with us trying to steal our technology as opposed
to being good corporate partners.
And my final question is for you, Mr. Lewis. We will put
aside the 1980 AFC championship game, but how is the industry
working together with government to combat cyber espionage?
Mr. Lewis. This is one of the harder areas, and so people
have been trying since 2000 to come up with a good model for
what they call public-private partnership. And it looks like it
has to vary from sector to sector. So for example, the banks,
the telcos, they have a pretty good partnership with the
government. Other sectors maybe the electrical sector, a little
less strong partnership.
So one of the things we need to do is maybe take a step
back and say, what are the things that would let companies feel
comfortable working with the government? What are the things
that would let them feel comfortable sharing information or
getting advice. And there has been some effort to do that, but
we haven't done enough, and what we haven't done in particular
is tailor it to each sector. What the concerns of an oil
company are, are going to be different from the concerns of a
software company. So maybe a new approach, focused a little bit
more on sector-specific ideas.
Mr. Olson. No one-size-fits-all, and I am out of time. I
yield back. Thank you, sir.
Mr. Murphy. The gentleman's time is expired. I now
recognize the gentleman from Louisiana, Mr. Scalise, for 5
minutes.
Mr. Scalise. Thank you, Mr. Chairman. I appreciate you
holding this hearing, and appreciate our panelists for
participating. I know our committee has delved into this on a
number of different fronts. There has been a lot of attempts
over the last few years to try to move legislation through
Congress to address this in different ways. And it's a serious
problem. I know a few of you have pointed out the economic
impact. There have been a lot of independent studies. Of
course, the IP Commission report that Senator Gorton was part
of, and really helped lead, estimates a $300 billion a year
lost in our economy, and over 2 million jobs.
And when you go out to places like Silicon Valley, which,
you know, for the tough economic times we have right now, there
are a lot of industries that are struggling, but one of the few
areas that is a bright spot is the technology industry. And in
large part, because so much of that intellectual property
starts, is created, and has been innovated here in the United
States, and it's being stolen. It is being stolen by countries
like China. And we know about it. We sometimes can stop it, and
often can't. And yet, it has a major impact on the economy, but
it's kind of lost in the shadows because it is not always
quantifiable.
I want to ask you, Ms. Offutt. You talked a little bit
about this. Is there a better way to gather data, a better way
to know if that $300 billion number per year, is right? Is it
way too low? You know, what are--is there a better way to find
out just what is being stolen, and how it impacts our economy?
Ms. Offutt. Well, I think the approach is necessarily at
the sector or the firm level. That's the way we would aggregate
to a number that told us something meaningful about the extent
of what is at risk, what has been compromised, and then how it
has been used to affect firm sales or consumer purchases. And
that effort is quite data- and labor-intensive, but some of
those data may become available as we intensify efforts to
actually impose protection. Although it would probably always
be the case that firms will be reluctant to divulge everything
about compromise of their systems, for competitive reasons
primarily.
Mr. Scalise. Do you think the criminal enforcement is
adequate? Do you think our Federal agencies that are tasked
with enforcing these laws, are they doing enough? Does more
need to be done? Is it that the law doesn't give them the kind
of ability they need to go after the actors that are out there
stealing all of this property? Anybody on the panel.
Ms. Offutt. I defer to Mr. Lewis to answer that question.
Mr. Scalise. Mr. Lewis, you can----
Mr. Lewis. Let me give you an example that was startling,
even to me. I was at a meeting recently with some FBI
representatives from a major city, not in a State from any of
you, I'm happy to say. They told me they won't take a case of
cyber crime if the loss was less than $100 million.
Mr. Scalise. What agency said this?
Mr. Lewis. FBI.
Mr. Scalise. Why is that?
Mr. Lewis. Because there's just so many that they can't do
them all, and so we have a real problem here. The issue is not
in the United States. If you commit a crime through hacking in
the United States, you will go to jail. The FBI is tremendously
effective. If you commit a crime in Western Europe, or in
Japan, or Australia, you will go to jail. The countries that
observe the law do a good job. And so what we have seen is the
hackers have moved, or the ones who have survived, live in
countries that either support this, or don't have the good rule
of law.
So Brazil, Nigeria, you know about them, Russia, and China,
they encourage them. That's our fundamental problem is if we
could let the FBI off the leash, if they could get cooperation
from these countries, this problem would be much more
manageable. But you have places that don't find it interesting
to cooperate.
Mr. Scalise. And I will stick with you on this one, Dr.
Lewis. We do hear from companies that say that there is a
reluctance to share information with the Federal Government,
you know, in some cases where that information can be helpful
in at the deterring this theft, or kind of better protecting
against it. What do you see as maybe an impediment, or what
things can be done to better improve that ability to hopefully
lead to a better process that stops some of the stuff from
occurring in the first place?
Mr. Lewis. That's one of the subjects of debate now, but
you probably need better liability protection for the
companies, and you probably need some guarantee that if you
give information to the government, it won't go to every agency
under the sun. You need some sort of limitation on it. Those
are the two key areas there. Antitrust comes up as a problem as
well if companies share information, they might run afoul of
antitrust. So liability, antitrust, and data security are the
three obstacles.
Mr. Scalise. And I know those things--are things we are
struggling with here, too. So I appreciate that. Thank you, Mr.
Chairman. I yield back the balance of my time.
Mr. Murphy. I thank the gentleman for yielding back. I also
thank all of our panelists, and thank the members. What we have
heard today is startling and enlightening on this issue that
would have a huge impact upon our national security, but also
our jobs, and at a time where we all want to see more Americans
going to work, it is sad that this state of affairs exists, but
we thank the information the panelists have given us today.
I also want to ask for unanimous consent to enter into the
record a letter from the Cybersecure America Coalition on
today's hearing. I understand the minority has had a chance to
review this letter and does not object, so hearing no
objection, so ordered.
[The information appears at the conclusion of the hearing.]
Mr. Murphy. And I ask unanimous consent that the written
opening statements of other members be introduced into the
record. So without objection, the documents will be entered
into the record. So in conclusion again, I thank the witnesses
and members who participated at today's hearing. I remind
Members that they have 10 business days to submit questions for
the record, and I ask the witnesses all agree to respond to the
questions. That concludes our hearing today, thank you.
[Whereupon, at 11:52 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC] [TIFF OMITTED] 86391.043
[GRAPHIC] [TIFF OMITTED] 86391.044
[GRAPHIC] [TIFF OMITTED] 86391.045
[GRAPHIC] [TIFF OMITTED] 86391.076
[GRAPHIC] [TIFF OMITTED] 86391.077
[GRAPHIC] [TIFF OMITTED] 86391.078
[GRAPHIC] [TIFF OMITTED] 86391.046
[GRAPHIC] [TIFF OMITTED] 86391.047
[GRAPHIC] [TIFF OMITTED] 86391.048
[GRAPHIC] [TIFF OMITTED] 86391.049
[GRAPHIC] [TIFF OMITTED] 86391.050
[GRAPHIC] [TIFF OMITTED] 86391.051
[GRAPHIC] [TIFF OMITTED] 86391.052
[GRAPHIC] [TIFF OMITTED] 86391.053
[GRAPHIC] [TIFF OMITTED] 86391.054
[GRAPHIC] [TIFF OMITTED] 86391.055
[GRAPHIC] [TIFF OMITTED] 86391.056
[GRAPHIC] [TIFF OMITTED] 86391.057
[GRAPHIC] [TIFF OMITTED] 86391.058
[GRAPHIC] [TIFF OMITTED] 86391.059
[GRAPHIC] [TIFF OMITTED] 86391.060
[GRAPHIC] [TIFF OMITTED] 86391.061
[GRAPHIC] [TIFF OMITTED] 86391.062
[GRAPHIC] [TIFF OMITTED] 86391.063
[GRAPHIC] [TIFF OMITTED] 86391.064
[GRAPHIC] [TIFF OMITTED] 86391.065
[GRAPHIC] [TIFF OMITTED] 86391.066
[GRAPHIC] [TIFF OMITTED] 86391.067
[GRAPHIC] [TIFF OMITTED] 86391.068
[GRAPHIC] [TIFF OMITTED] 86391.069
[GRAPHIC] [TIFF OMITTED] 86391.070
[GRAPHIC] [TIFF OMITTED] 86391.071
[GRAPHIC] [TIFF OMITTED] 86391.072
[GRAPHIC] [TIFF OMITTED] 86391.073
[GRAPHIC] [TIFF OMITTED] 86391.074
[GRAPHIC] [TIFF OMITTED] 86391.075
�