Chinese President Xi Jinping has had a busy autumn as the globe’s cyber diplomat-in-chief. How does the U.S. government now get Chinese government-supported hackers to change their behavior in a way that matches President Xi’s rhetoric?
On December 1 and 2, Homeland Security Secretary Jeh Johnson and Attorney General Loretta Lynch hosted a Chinese delegation led by State Councilor and Minister of Public Security Guo Shengkun in the first meeting of the U.S.-China High-Level Joint Dialogue On Cybercrime And Related Issues. The Dialogue, as described in the Joint Statement released at the end of President Xi’s State Visit in September, is to “review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side” and provide a hotline to escalate cases that could not be resolved through working-level cooperation.
Surprisingly, the press release issued by the U.S. Departments of Justice and Homeland Security after the meeting contained no mention of the norm proscribing cybertheft – the government-directed, cyber-enabled theft of proprietary business information used for competitive advantage – or even any generic suggestion that the U.S. side raised cases that illustrate U.S. concerns about Chinese conduct in that regard.
In fact, China’s agreement to a norm proscribing cybertheft – optimistically described as an agreement by China not to conduct cybertheft – was the main event at the State Visit. Afterwards, President Xi even followed up with two months of aggressive diplomacy designed to make China the primary proponent of this norm. During visits to other Western countries, Xi and his Prime Minister Li Keqiang added the norm to joint statements and the G20 leaders even adopted it in the Antalya Communiqué issued at their meeting last month in Turkey.
Surely, the broad push to adopt this norm represents a new understanding by Chinese leaders that such activity needs to end? Unfortunately, as I’ve written previously in this space, the agreement on the principle is accompanied by Chinese denials that they conduct cybertheft – denials that mirror denials on malicious activities in cyberspace heard from Chinese officials in the past. And this week, the Chinese government also redirected attention from cybertheft when it confirmed that before President Xi’s visit to Washington it detained an unspecified number of unidentified independent hackers in connection with the OPM data breach earlier this year – not the Chinese government cyber operators the Administration originally fingered.
One possible interpretation of China’s aggressive diplomatic push in favor of the norm and its effort to shift responsibility for the OPM hack away from government actors is a true change of heart in Beijing. Perhaps the Chinese government has concluded that stealing the innovative output of other countries is ultimately self-defeating and that such theft will no longer be a major component of its approach to innovation. After all, such theft is essentially parasitic and it requires a healthy host to support it (see p. 6). If the theft continued across decades, it would undermine—even more surely than failure to enforce intellectual property rights—the fundamental capability of innovative elements of the developed world’s economy to receive a return on the sector’s large investment in R&D. If the parasitic activity eventually kills the host, the result is a loss for both the developed world and China.
But that seems too optimistic. U.S. cybersecurity firms reported about one month after the State Visit that private U.S. companies were still being attacked by Chinese hackers operating with an unchanged methodology. And in mid-November, Bill Evanina, the Director of the Office of the U.S. National Counterintelligence Executive, had seen “no indication” that Chinese behavior had changed. So, in spite of a diplomatic blitz in favor of this norm against cybertheft, the Chinese leadership still treats its statements about refraining from cybertheft with the same cynicism displayed regarding promises not to militarize the South China Sea and never to pursue hegemony.
Examining China’s major reversal over the last three months closely, you can find a clue to why China has gone from chief denier of government-supported cybertheft to primary proponent of this norm. The switch was flipped when a leak from the White House about the threat of sanctions against Chinese entities and individuals for cybertheft under President Obama’s April 2015 Executive Order brought President Xi’s negotiator, Meng Jianzhu, to Washington to orchestrate President Xi’s acquiescence to the anti-cybertheft norm. Although unilateral economic sanctions, especially those that are very limited in scope, are thought to be more a way to send a message than to fundamentally alter a regime’s behavior, the reaction to merely the threat of sanctions was dramatic and immediate.
As I wrote in this space immediately following the State Visit, on cybertheft China has offered words in exchange for a change in action on the part of the U.S. government in a classic tactical gambit drawn directly from Sun Zi’s Art of War. But if the mere threat of sanctions resulted in the diplomatic reversal, why should the U.S. government suppose that limited sanctions would change behavior? Because such targeted actions appear to have worked with China on this issue in the last 18 months. When the U.S. government indicted five People’s Liberation Army (PLA) officers for cybertheft in May 2014, the diplomatic response from China was furious and seemed counterproductive: China withdrew from the State Department-led bilateral cyber dialogue and demanded the withdrawal of the indictments in most of its diplomatic engagements with U.S. officials. According to the Washington Post this week, however, behind the scenes, the PLA’s responded by dramatically reducing the level of economic espionage conducted by PLA-controlled actors. In other words, the indictments changed the behavior that has so frustrated U.S. policy makers.
Imposing the sanctions that the White House had contemplated in August might have resulted in a difficult diplomatic fallout. The upside, however, is that those sanctions also might have convinced the civilian hackers in China’s Ministry of State Security to curtail their cybertheft practices in the same way last year’s indictments convinced the PLA. It is not too late to learn this lesson. Now that China has agreed to appropriate norms of behavior in cyberspace without actually curtailing its malicious activities, the time has come to sanction Chinese entities and individuals responsible for cybertheft to get the change that will actually matter for the U.S. economy.