China and cybertheft, six months later
Last September, during his State Visit in Washington, China’s President Xi Jinping committed (see paragraph 48) to President Obama that China would not conduct or support cybertheft to benefit China’s economic competitiveness. President Xi then took that non-binding commitment with the United States on the road and became its primary advocate, culminating in the inclusion of similar language in the Antalya Communiqué agreed by the leaders of the G20 in November.
As I noted on this blog (twice in September and again in December), accepting that non-binding commitment as progress delayed taking meaningful action–in the form of economic sanctions–to try and actively influence the cyber behavior of China’s state-sponsored hackers. My argument at that time, and still today, is that in adopting that non-binding commitment, the Chinese President was practicing the Art of War on the United States by making a rhetorical feint while continuing the cyber activities–state-sponsored and state-supported cybertheft of U.S. companies’ proprietary information–that violate that commitment and continue to undermine the U.S. economy.
As alluded to above, the reason President Xi felt the need to send his high-level envoy Meng Jianzhu to negotiate the non-binding commitment appears to be the widely reported fact that the Administration was readying a package of sanctions against Chinese individuals and entities. The Chinese President prefered to take on a commitment to which its government has no intention of abiding rather than face inconvenience and loss of face that sanctions would cause. If the Administration had moved forward with sanctions last fall, China would have been the first country to have its entities and citizens targeted by sanctions under President Obama’s April 2015 Executive Order announcing a national emergency on cybersecurity and authorizing such sanctions.
Now just over six months after President Xi’s State Visit during which he endorsed the norm against cybertheft, that commitment appears to have done its job completely…for China. This issue, which used to be very high on the list of difficult problems in communications between the two Presidents, barely got a mention last week when the Presidents met in Washington on the sidelines of the Nuclear Security Summit. Based on the readout from that meeting, “[t]he President reiterated that we will continue to monitor whether Chinese actions demonstrate their adherence to the commitments.” But has anything changed that would merit continued passivity in the face of China’s cybertheft?
The best source of such information is the federal government, but it is not forthcoming about its information for obvious reasons. Still, we can look at the sources that told us there was no change toward the end of last year–both private sector and government–but there has not been much further discussion of whether this type of hacking continues through the first 3 months of 2016. Discussion about the direction of China-based intrusion sets in CrowdStrike’s 2015 Global Threat Report, released in February 2016, asserted that “[t]he economic downturn and new Five Year Plan in China will continue to drive their state-sponsored cyber espionage activities.” The report also details how the current economic cybertheft intrusion sets CrowdStrike has identified over time map to the priority economic sectors listed in China’s new Five Year Plan. And in comments to Politico last week, counsel to the Intellectual Property and Technology, Media and Telecoms group in Hong Kong suggested that there may have been an increase in cybertheft.
The Intelligence Community provided additional information this year in the Congressional testimonies of both Director of National Intelligence Jim Clapper and the leader of Cyber Command and NSA Director Admiral Michael Rogers. Both concluded, in identical language in their written testimonies that, “China continues cyber espionage against the United States.” And Director Clapper further elaborated that, “China continues to have success in cyber espionage against the US Government, our allies, and US companies” (emphasis added). Clearly, China has not stopped the conduct that nearly resulted in the imposition of economic sanctions last Fall.
On that basis, the time has come for the Administration to impose such sanctions on Chinese entities and individuals. The testimonies of both IC officials, however, raises a troubling question about whether the Administration is making the situation worse for American businesses. In both Director Clapper’s testimony and in responses to questions from the Senate Armed Services Committee by Admiral Rogers, the IC leaders suggested that without evidence of “…the use of exfiltrated data for commercial gain,” the jury would be out. As Admiral Rogers put it this week, “The question I think we still need to ask is, is that activity then in turn shared with the Chinese private industry?”
In fact, several reports have asserted attribution of intrusion sets focused on commercial information to Chinese state actors going back several years, but the additional burden of showing the stolen data used for specific commercial gain by Chinese industry adds a tremendous complication to any attempt to sanction Chinese cyber activities that threaten U.S. competitiveness. Such a burden would delay any such sanctions until they were far too late to be of any use. Perhaps more importantly, President Obama’s April 2015 Executive Order adopted a “reasonably likely” standard for imposing sanctions on persons or entities that engage in cybertheft. Adopting the IC’s standard–putting the onus to detect, attribute, and trace the misappropriated information through to its use by a commercial entity–is far too generous to the hackers. Combined with the reduced attention paid to the problem since President Xi’s State Visit, the adoption of this standard would render sanctions for hacking activity a dead letter.
The question the Obama Administration faces now, six months after it allowed President Xi to take the initiative, is how to regain the momentum in its fight against Chinese cybertheft. As detailed in December, the indictments of five Chinese People’s Liberation Army (PLA) hackers by the Justice Department in May 2014 had a measurable effect on the PLA’s cybertheft activities. If that is the case, indictments against hackers from the Ministry of State Security, China’s external intelligence agency, or the Ministry of Public Security, China’s domestic police agency, could be one way forward. Indictments are not a great policy option because as a law enforcement action, it is insulated–appropriately–from the policy process. As successful as those indictments were at sending a message, using that tool on a regular basis would be difficult for an Administration to control or direct. The real hope is that the White House would look at the continued cybertheft conducted by China and revisit its decision not to impose sanctions on China immediately after President Xi’s State Visit. With significant continued cybertheft originating from China, one hopes for that reversal very soon.