Senate Bill Calls For 'Watch List' Of Nations Cyberspying On U.S., Trade Sanctions

In a week that began with the rare move of the Pentagon calling out the Chinese government and military for attacks on U.S. government networks, some key senators have drafted a bill that would create a watch list of nations conducting cyberespionage against the U.S., and spell out just what technologies and products are being stolen -- as well as which foreign firms benefit from the intellectual property stolen from the U.S.

The bipartisan bill, co-sponsored by Sens. Carl Levin, D-Mich.; John McCain, R-Ariz.; Jay Rockefeller, D-W.Va.; and Tom Coburn, R-Okla., is the latest move by the U.S. to ratchet up pressure on China, which has been outed as one of the world's biggest cyberespionage actors. China, in typical fashion, yesterday shot down the Defense Department's claims of cyberspying, calling them "irresponsible and harmful" and denying any state-sanctioned hacking.

The Deter Cyber Theft Act specifically requires that the U.S. National Director of Intelligence to create a "watch list" of nations engaged in cyberespionage activity against the U.S. and a priority list of the "worst offenders." It also calls for an accounting of the U.S. technologies or IP that were targeted, as well as a list of stolen information and the resulting products the information helped build, plus a list of the foreign companies that "benefit from such theft."

Under the bill, the president would block the import of products that contain stolen U.S. intellectual property as well as products from state-owned companies on the priority watch list.

"It is time that we fought back to protect American businesses and American innovation," said Sen. Levin, the chairman of the Senate Armed Services Committee, in a statement. "We need to call out those who are responsible for cyber theft and empower the president to hit the thieves where it hurts most – in their wallets, by blocking imports of products or from companies that benefit from this theft."

But legal experts say passage of The Deter Cyber Theft Act is no sure thing, especially after Congress's failure to pass a cybersecurity bill last year. But ever since the release of the Mandiant report in February, which offered the first real evidence of a long-suspected Chinese military link to cyberespionage against U.S. firms, Chinese cyberespionage has been all the talk in Washington. So the timing may be better for this bill, says Stewart Baker, partner in the Washington office of Steptoe & Johnson LLP and a former Department of Homeland security official.

"This is potentially a big deal for two reasons: First, it is an effort at deterrence of cyberespionage, which is quite different," Baker says. "Second ... it's a very serious potential sanction, saying they are going to refuse permitting imports from products from state-owned enterprises that are benefiting from cyberespionage. That could transform many markets."

The devil's in the details, of course. Just how the feds would be able to procure evidence of a foreign company benefiting from stolen U.S. intellectual property is unclear, Baker notes. "There are also uncertainties on how evidence can be obtained and whether the president is really willing to disrupt trade in that way. But it puts a very big card on the table."

Kristen Verderame, CEO of Pondera International and an attorney, is skeptical the Senate bill has a chance of passing, and says she thinks the sponsors didn't necessarily expect it to, either. "I don't think it was intended to go anywhere necessarily. It was to put a marker in the road," Verderame says. If the sponsors were confident they could pass actual legislation, they would have pulled together other committees and stakeholders, she says.

"These guys are passionate about cybersecurity. They want to do something. They feel like they need to make a statement and show they are serious about cybersecurity," she says. "In terms of any realistic hopes of anything passing [at this time], it's pretty slim."

Congress is still reeling from the failed attempts at a national cybersecurity law, and there just isn't the sufficient climate for getting the latest bill through, either. "Last year, [cyberespionage] was fresh and new. People are getting tired, so now it's turning to China-bashing," Verderame says.

Even so, she says, the more discussion and attention given the cyberespionage problem, the better. "The more noise out there, the better it is" for stronger action, she says.

[New research from multiple sources illustrates dominant role of China in cyberespionage. See Chinese Cyberespionage: Brazen, Prolific, And Persistent.]

Chinese actor groups made up 96 percent of all cyberespionage cases investigated last year, according to Verizon's latest Data Breach Investigations Report. About one-fifth of all breaches in the report were Chinese cyberesionage-based.

"Our economic prosperity and national security depend on bolstering our cybersecurity, and this bill is a crucial component of that effort," bill co-sponsor Sen. Rockefeller said in a statement. "We must cut the demand for stolen trade secrets by holding countries who engage in cyber theft accountable for their illegal activities and by preventing products that use stolen information from entering the U.S. market. Alongside other cybersecurity priorities – including stronger cybersecurity standards, cyber workforce training, R&D, and public-private information sharing -- this bill to elevate cyber theft as a national security priority is a major step forward for American workers, American businesses, and American ingenuity."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.