Expect to see Congress take up legislation to punish nations and people that back global intellectual property theft and industrial espionage, House intelligence committee chairman Mike Rogers said today. Such legislation could revoke visas of those involved in economic espionage or sanction countries that back such behavior.
Such actions would punish "nation-states that steal intellectual property and repurpose it for government companies to illegally compete in the market," Rogers told reporters after a breakfast in Washington, alluding to Chinese intellectual property theft. "That's something I'm working on, and we've got some great bipartisan support on this and great bicameral support, and we'll have an announcement on this soon."
He added that legislation to punish countries engaged in economic espionage will not be included latest version of CISPA, set to be voted on next month, but rather it will be "announced and ready sometime this year."
He hinted that the legislation could also punish people who knowingly do business with foreign entities that rely on intellectual property theft for their business model.
"I steal from your house, and I come to [another person's house] and try to sell it, it is both a crime for me to steal it and a crime for you to take stolen property. This should be no different. The only difference is, the value of it is exponentially bigger," said Rogers, a former FBI agent.
Early last month, Rogers said the U.S. must do more to confront China on its state-backed economic espionage campaigns.
"We need direct talks with China and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps on Feb. 13. "This is a problem of epic proportions here, and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date." Rogers suggested that the U.S. implement trade sanctions and identify "individuals who participate in this, go after their visas, go after family travel, all of the levers we have at the Department of State. The problem is that bad."
Last month the White House unveiled its strategy to combat the international theft of intellectual property and trade secrets. This effort is focused on international law enforcement efforts to catch IP thieves and diplomatic cooperation aimed at curbing state-backed theft of trade secrets.
The House intelligence committee will vote on the Cyber Intelligence Sharing and Protection Act, better known as CISPA, next month.
"It will be coming out of the committee in April, it is a continuing work in progress, we are still meeting with privacy groups, still meeting with industry folks," said committee chairman Mike Rogers during a breakfast in Washington this morning.
Remember, numerous organizations from the White House to the ACLU and the Electronic Frontier Foundation have opposed the bill, saying it would violate citizens' privacy rights. The bill died last year after the White House threatened a veto over privacy concerns.
"We want a bill that the American people can have faith and confidence in, that it is working for them, not against them, and [to allay concerns] that it is a surveillance program, which it is not," said Rogers. "We want to make sure that we meet the level of privacy concerns, and we think we can do that by working in some very direct language that expresses, in language, what we believe the bill already does but we want to reiterate that."
Rogers added that the committee and the White House may have had a "break-through" regarding its privacy concerns this week. He would not elaborate.
"I think we've got them [the White House] to a place where they're interested in working with us to get something that we can get signed into the law,' added Rogers.
While the White House is concerned about the bill infringing on privacy rights, executive branch officials have said that legislation allowing private businesses to share information with each other and the government is needed to augment the White House's cyber security executive order.
The executive order authorizes government intelligence and law enforcement agencies to share threat information with businesses but not the other way around; only legislation can require that.
A key tenet of such legislation would be giving businesses immunity from lawsuits for sharing personal information about private citizens or violating antitrust statutes when sharing cyber security information. (Click here to learn more about the type of information that the government wants to share.)
Without "robust" liability protection, "this won't work," said Rogers of any attempt private sector information sharing.
Rogers and the committee's ranking Democrat, Rep. Dutch Ruppersburger said when re-launching the bill last month that they are working with the White House to avoid another veto threat.
He added that his committee has also garnered "a lot more democratic support" in the Senate than it did last year.
Rogers told reporters after the breakfast that CISPA is only the first of many cyber-related legislative projects that will emerge this year. Stay tuned to Killer Apps for more on this today.
Talk about a potential security fail. The U.K.'s Government Communications Headquarters (GCHQ) has been sending job applicants passwords to its recruitment website via unencrypted email.
Why is this a potential security violation? Because plenty of personal information about those applicants is hosted inside the recruitment site. If a foreign intelligence agency broke into the recruitment page they could collect potentially useful information on GCHQ's future employees.
The kicker: GCHQ is the country's premier electronic intelligence agency -- the government's cyber security arm and the British equivalent of the National Security Agency. (To be fair, cyber spies would need to know whose email to target to get these passwords, but still.)
The problem was apparently revealed when job applicant Dan Farrall posted an email he got from GCHQ that included his password to his blog. Apparently GCHQ emailed Farrall his password after he filled out a basic ‘Forgot Your Password?' form on the agency's recruiting website. (You'd think, at the very least, GCHQ would require users to come up with a new password like plenty of businesses do when you forget yours. Let's hope they add two-factor authentication soon.)
Cyber security firm Kaspersky Lab's blog ThreatPost then wrote up what it says is the agency's acknowledgement of the security lapse.
"The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it," the agency said, asserting that "only the very small percentage of applicants (who need their accounts reset) are sent a new password" and that those emails come "with clear instructions of how to protect their data."
The GCHQ didn't clarify whether it was planning on implementing some sort of password reset functionality on its site in place of the password retrieval functionality it currently has in place. The agency also failed to explain how exactly it would approach its users' privacy from here on out so it's unclear whether it plans to salt and hash its users passwords going forward.
It looks like The U.K.'s Fort Meade has been a little bit lax on some basic cyber security procedures.
The Navy is moving ahead with its effort to field a stealthy, carrier-based attack drone. Yesterday, the sea service announced that it plans to give Boeing, Lockheed Martin, Northrop Grumman, and General Atomics contracts to flesh out their competing designs for the Unmanned Carrier Launched Airborne Surveillance and Strike (UCLASS) program.
UCLASS is supposed to be semi-autonomous, meaning that it can take off, fly missions, and land on an aircraft carrier without a human operator at the controls the whole time. It will, however, have people monitoring the missions. (You can bet Human Rights Watch is going to keep a very close eye on this program.)
The Navy wants to use the drones to do everything from refueling other planes in midair (a critical task given the massive distances involved in the Pacific) to collecting intelligence on enemy forces and killing them. Unlike the current generation of combat UAVs, such as the MQ-1 Predator and the MQ-9 Reaper, ULCASS must be stealthy and jet-powered, giving it a chance to survive against enemy air defenses that would quickly take out a slow, propeller-powered Predator or Reaper.
(Keep in mind, that long range, stealthy jets, drones and missiles are part of the Pentagon's plans to counter potential enemies who are investing in radars and missiles designed to keep U.S. ships and planes far from their borders under a strategy known as Anti-Access/Area Denial or A2AD.)
Northrop Grumman's design will be based on its X-47B Unmanned Combat Air System (UCAS) demonstrator. That jet is already flying from the Navy's test facility at Patuxent River, Md., has taken off from a land-based catapult, and conducted taxi tests aboard the aircraft carrier USS Harry S. Truman last December. The UCAS program is a direct precursor to UCLASS, meant to prove that the Navy can operate a stealthy, fighter-size drone from its aircraft carriers. Needless to say Northrop plans on capitalizing on the work it's done on the jet for the UCAS program to offer it up for UCLASS (got that?).
Meanwhile, Lockheed Martin is expected to offer up its Sea Ghost, a plane that will draw upon the Bethesda-based defense giant's work building the Air Force's super-secret RQ-170 stealth spy drone and the F-35 Joint Strike Fighter.
Next up, Predator- and Reaper-maker General Atomics is expected to offer a version of its jet-powered Predator C called the Avenger. That plane, like all the other designs, will be toughened against the strain of carrier takeoffs and landings as well as the corrosive, salty sea air.
Finally, Boeing is moving ahead with a brand-new design for UCLASS. A company executive told yours truly last year that Boeing isn't going to pitch a "warmed over" version of its X-45, the plane that unsuccessfully competed against the X-47 for the UCAS contract.
This new batch of UCLASS development contracts is expected to run until 2015, according to the Navy. The sea service originally wanted to field UCLASS operationally by 2018, but that ambitious date has slipped to 2020.
Here are what might be the first photos and videos of China's J-20 stealth fighter equipped with an air-to-air missile.
We've seen this coming for several weeks now as photos and videos emerged on the Chinese internet showing the second known J-20 (dubbed serial number 2002) flying with its weapons bay open and a missile rack popping out.
Notice in the video below how the J-20's missile rack allows its weapons bay doors to close while the missile is still attached to the rack, unlike those found on American stealth jets like the F-22 Raptor. This may help cut down on drag and reduce the plane's radar signature.
(For more on this, check out David Cenciotti's analysis of the design of those found on the J-20.)
So, a little over two years after the J-20's first flight, the aircraft may be ready to conduct weapons tests. (Or, Chinese engineers just want to make sure the design of the plane's weapons bay and racks work.)
How's the United States Marine Corps, which bills itself as an amphibious force, going to fight in a world where potential U.S. enemies are stockpiling radars and missiles to keep ships that carry Marines far from their shores? They're going to come in from the sky, according to Maj. Gen. Kenneth McKenzie, the Corps' representative to the Quadrennial Defense Review.
"I think the best example of what being amphibious means to the Marine Corps is Task Force 58. I think it's Brigadier General Jim Mattis launching off the Pakistan coast, striking deep into southern Afghanistan. No amphibious vehicles crossed a beach in that operation," said McKenzie during a breakfast with reporters in Washington this morning.
The Marines of Task Force 58 conducted the longest-distance helicopter raid in history to establish one of the first American bases in Afghanistan in November 2001.
"You strike at a time and place of your choosing with overwhelming force, from a sea base. That is an example of a modern amphibious operation," said the two-star. "You find a weakness in your enemy's defenses, and you go where they're not expecting you, and you go deep and you strike strategically."
He noted that the Corps didn't have the MV-22 Osprey tilt-rotor aircraft in 2001, a weapon that expands the service's ability to perform long-distance raids. "With the V-22 those capabilities would be even more pronounced," said McKenzie.
Not quite what most people have in mind when they think of amphibious warfare. Remember, the Corps still has tons of amphibious armored vehicles, hovercraft, and landing craft designed to bring Marines from their ships to the shore (something McKenzie called an important capability). Still, the 2011 cancellation of the Corps' decades-long effort to buy a new armored vehicle -- the Expeditionary Fighting Vehicle, which could transport troops ashore from ships that are beyond the range of enemy weapons -- shows how difficult the notion of a traditional amphibious assault has become. (The service is still looking at ways to field a 21st Century amphibious assault vehicle.)
"Nobody thinks of the Pacific battles of World War II as a model for the way we want to do business today," McKenzie added.
Throughout the breakfast he maintained that the Corps will promote its role as a lightweight force capable of rapidly deploying around the globe to do everything from providing disaster relief to establishing a foothold in combat zones for the "nation's strategic decisive force" -- the Army -- to move into.
(Click here to see what he told FP's Situation Report in January about the future of the Corps as a light fighting force.)
For example, when asked about his service's role in the Pentagon's air-sea battle concept, McKenzie said it was as an expeditionary raider force.
"Air sea battle looks very hard at the kill chain, technical answers to technical problems. We think you probably need to look beyond that and to think about other operational approaches that don't supplant the technical issues but you want to have tactical answers too. If you take away a base, for example, then you take away the ability to launch a missile," said McKenzie. "That talks about expeditionary operations, that talks about raids and seizures of different places. You want to get the discussion on more than just a technology level."
McKenzie pointed out that the service isn't abandoning coastlines; it will still "play in the littorals." But these missions will likely be oriented toward training other militaries and responding to humanitarian emergencies more than major combat operations.
Click here to read the FP article by McKenzie's fellow Marine, Lt. Gen. Richard Mills, on the types of coastal missions the amphibious service is likely to be tasked with in the future.
U.S. Marine Corps
This week, the Tallinn Manual -- a NATO initiative by which legal experts have articulated laws for the cyber battlefield -- is set to make its stateside debut. But the United States says it is already ahead of the document's recommendations: it insists the existing laws of war are sufficient to govern the use of cyber weapons.
"Existing international law applies to cyberspace just as it does in the physical world," said Christopher Painter, the State Department's coordinator for cyber issues, during a forum at George Washington University last Thursday. "That is a very important concept. It means a couple of things. First, it means we don't need new norms in cyberspace; we apply existing norms."
The United States is trying to establish international rules of the road in cyberspace that are accepted by other nations, but it believes they should reflect rules that are already on the books, such as the law of armed conflict.
"It is the clear and consistent policy of the United States that the Law of Armed Conflict applies to our operations in all domains, including cyberspace," a Pentagon official told Killer Apps when asked about the Tallinn manual. "The cyber activities of the Department of Defense are always undertaken in accordance with existing policy and law and executed under specific authority."
Adhering to existing law, according to Painter, means that militaries should recognize the distinction between soldiers and civilians and exercise proportionality in using force. They should not target civilians, and nations should be held accountable when proxy cyber groups use force on their behalf.
The Tallinn Manual was commissioned by NATO, but it was produced by independent legal scholars and practitioners and does not speak for any government. But the Pentagon official said that "the department values the contributions that independent reports like the Tallinn Manual for Cyber Law bring to the dialogue and important work being done in the realm of Cybersecurity."
(Click here to read remarks a State Department lawyer gave regarding the law of armed conflict and cyberspace during a speech at U.S. Cyber Command last summer.)
U.S. officials say the process of formalizing rules for cyberspace will likely take decades given the differing priorities among various governments. For example, the U.S. and its allies want to focus on things like fighting intellectual property theft and banning destructive cyber attacks during peacetime, while nations such as China and Russia want to be free to censor information and monitor what their citizens do online -- a stance U.S. officials call a "nonstarter."
Painter said that, while nations continue to discuss such issues, they may want to develop cyber hotlines so that government leaders can communicate freely and directly about cyber incidents.
"You can do confidence and transparency measures for those states where there may be some distrust, just understanding how they're organized, maybe having hotlines between them. I think that's an important part of the political-military bucket," he said.
The notion of a cyber hotline, similar to the nuclear hotline between the White House and the Kremlin, is something yours truly has also heard suggested by senior foreign officials, who wished to remain anonymous.
U.S. Air Force
How serious is intellectual property theft and cyber crime against U.S. businesses? It depends on who you ask.
When Jim Lewis of the Center for Strategic and International Studies gave someone he would only describe as one of the "gods of economics" his initial estimates about the cost of cyber espionage, this is what happened:
"I said, ‘I apologize, we're at a very preliminary stage of our research, there's an embarrassing range and we hope to narrow it over time, but I would say the minimum might be $20 billion dollars a year and the maximum might be $100 billion dollars a year,' noting that there's all sorts of problems, it's a very preliminary estimate," Lewis recounted during a forum on cyber security at The George Washington University last week. "He looked at me and he said, ‘100 billion dollars!? That's a rounding error in a $15 trillion dollar economy!' And he's right, it's a rounding error."
More recent estimates have put the cost of theft as high as $338 billion per year, but Lewis' anecdote puts the fear of cyber espionage in perspective.
Still, Lewis admitted that the blatant theft of U.S. economic and defense secrets is "very disturbing" and needs to be addressed.
U.S. Air Force
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.