Last September, during his State Visit in Washington, China’s President Xi Jinping committed (see paragraph 48) to President Obama that China would not conduct or support cybertheft to benefit China’s economic competitiveness. President Xi then took that non-binding commitment with the United States on the road and became its primary advocate, culminating in the inclusion of similar language in the Antalya Communiqué agreed by the leaders of the G20 in November.
As I noted on this blog (twice in September and again in December), accepting that non-binding commitment as progress delayed taking meaningful action–in the form of economic sanctions–to try and actively influence the cyber behavior of China’s state-sponsored hackers. My argument at that time, and still today, is that in adopting that non-binding commitment, the Chinese President was practicing the Art of War on the United States by making a rhetorical feint while continuing the cyber activities–state-sponsored and state-supported cybertheft of U.S. companies’ proprietary information–that violate that commitment and continue to undermine the U.S. economy.
As alluded to above, the reason President Xi felt the need to send his high-level envoy Meng Jianzhu to negotiate the non-binding commitment appears to be the widely reported fact that the Administration was readying a package of sanctions against Chinese individuals and entities. The Chinese President prefered to take on a commitment to which its government has no intention of abiding rather than face inconvenience and loss of face that sanctions would cause. If the Administration had moved forward with sanctions last fall, China would have been the first country to have its entities and citizens targeted by sanctions under President Obama’s April 2015 Executive Order announcing a national emergency on cybersecurity and authorizing such sanctions.
Now just over six months after President Xi’s State Visit during which he endorsed the norm against cybertheft, that commitment appears to have done its job completely…for China. This issue, which used to be very high on the list of difficult problems in communications between the two Presidents, barely got a mention last week when the Presidents met in Washington on the sidelines of the Nuclear Security Summit. Based on the readout from that meeting, “[t]he President reiterated that we will continue to monitor whether Chinese actions demonstrate their adherence to the commitments.” But has anything changed that would merit continued passivity in the face of China’s cybertheft?
The best source of such information is the federal government, but it is not forthcoming about its information for obvious reasons. Still, we can look at the sources that told us there was no change toward the end of last year–both private sector and government–but there has not been much further discussion of whether this type of hacking continues through the first 3 months of 2016. Discussion about the direction of China-based intrusion sets in CrowdStrike’s 2015 Global Threat Report, released in February 2016, asserted that “[t]he economic downturn and new Five Year Plan in China will continue to drive their state-sponsored cyber espionage activities.” The report also details how the current economic cybertheft intrusion sets CrowdStrike has identified over time map to the priority economic sectors listed in China’s new Five Year Plan. And in comments to Politico last week, counsel to the Intellectual Property and Technology, Media and Telecoms group in Hong Kong suggested that there may have been an increase in cybertheft.
The Intelligence Community provided additional information this year in the Congressional testimonies of both Director of National Intelligence Jim Clapper and the leader of Cyber Command and NSA Director Admiral Michael Rogers. Both concluded, in identical language in their written testimonies that, “China continues cyber espionage against the United States.” And Director Clapper further elaborated that, “China continues to have success in cyber espionage against the US Government, our allies, and US companies” (emphasis added). Clearly, China has not stopped the conduct that nearly resulted in the imposition of economic sanctions last Fall.
On that basis, the time has come for the Administration to impose such sanctions on Chinese entities and individuals. The testimonies of both IC officials, however, raises a troubling question about whether the Administration is making the situation worse for American businesses. In both Director Clapper’s testimony and in responses to questions from the Senate Armed Services Committee by Admiral Rogers, the IC leaders suggested that without evidence of “…the use of exfiltrated data for commercial gain,” the jury would be out. As Admiral Rogers put it this week, “The question I think we still need to ask is, is that activity then in turn shared with the Chinese private industry?”
In fact, several reports have asserted attribution of intrusion sets focused on commercial information to Chinese state actors going back several years, but the additional burden of showing the stolen data used for specific commercial gain by Chinese industry adds a tremendous complication to any attempt to sanction Chinese cyber activities that threaten U.S. competitiveness. Such a burden would delay any such sanctions until they were far too late to be of any use. Perhaps more importantly, President Obama’s April 2015 Executive Order adopted a “reasonably likely” standard for imposing sanctions on persons or entities that engage in cybertheft. Adopting the IC’s standard–putting the onus to detect, attribute, and trace the misappropriated information through to its use by a commercial entity–is far too generous to the hackers. Combined with the reduced attention paid to the problem since President Xi’s State Visit, the adoption of this standard would render sanctions for hacking activity a dead letter.
The question the Obama Administration faces now, six months after it allowed President Xi to take the initiative, is how to regain the momentum in its fight against Chinese cybertheft. As detailed in December, the indictments of five Chinese People’s Liberation Army (PLA) hackers by the Justice Department in May 2014 had a measurable effect on the PLA’s cybertheft activities. If that is the case, indictments against hackers from the Ministry of State Security, China’s external intelligence agency, or the Ministry of Public Security, China’s domestic police agency, could be one way forward. Indictments are not a great policy option because as a law enforcement action, it is insulated–appropriately–from the policy process. As successful as those indictments were at sending a message, using that tool on a regular basis would be difficult for an Administration to control or direct. The real hope is that the White House would look at the continued cybertheft conducted by China and revisit its decision not to impose sanctions on China immediately after President Xi’s State Visit. With significant continued cybertheft originating from China, one hopes for that reversal very soon.
Chinese President Xi Jinping has had a busy autumn as the globe’s cyber diplomat-in-chief. How does the U.S. government now get Chinese government-supported hackers to change their behavior in a way that matches President Xi’s rhetoric?
On December 1 and 2, Homeland Security Secretary Jeh Johnson and Attorney General Loretta Lynch hosted a Chinese delegation led by State Councilor and Minister of Public Security Guo Shengkun in the first meeting of the U.S.-China High-Level Joint Dialogue On Cybercrime And Related Issues. The Dialogue, as described in the Joint Statement released at the end of President Xi’s State Visit in September, is to “review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side” and provide a hotline to escalate cases that could not be resolved through working-level cooperation.
Surprisingly, the press release issued by the U.S. Departments of Justice and Homeland Security after the meeting contained no mention of the norm proscribing cybertheft – the government-directed, cyber-enabled theft of proprietary business information used for competitive advantage – or even any generic suggestion that the U.S. side raised cases that illustrate U.S. concerns about Chinese conduct in that regard.
In fact, China’s agreement to a norm proscribing cybertheft – optimistically described as an agreement by China not to conduct cybertheft – was the main event at the State Visit. Afterwards, President Xi even followed up with two months of aggressive diplomacy designed to make China the primary proponent of this norm. During visits to other Western countries, Xi and his Prime Minister Li Keqiang added the norm to joint statements and the G20 leaders even adopted it in the Antalya Communiqué issued at their meeting last month in Turkey.
Surely, the broad push to adopt this norm represents a new understanding by Chinese leaders that such activity needs to end? Unfortunately, as I’ve written previously in this space, the agreement on the principle is accompanied by Chinese denials that they conduct cybertheft – denials that mirror denials on malicious activities in cyberspace heard from Chinese officials in the past. And this week, the Chinese government also redirected attention from cybertheft when it confirmed that before President Xi’s visit to Washington it detained an unspecified number of unidentified independent hackers in connection with the OPM data breach earlier this year – not the Chinese government cyber operators the Administration originally fingered.
One possible interpretation of China’s aggressive diplomatic push in favor of the norm and its effort to shift responsibility for the OPM hack away from government actors is a true change of heart in Beijing. Perhaps the Chinese government has concluded that stealing the innovative output of other countries is ultimately self-defeating and that such theft will no longer be a major component of its approach to innovation. After all, such theft is essentially parasitic and it requires a healthy host to support it (see p. 6). If the theft continued across decades, it would undermine—even more surely than failure to enforce intellectual property rights—the fundamental capability of innovative elements of the developed world’s economy to receive a return on the sector’s large investment in R&D. If the parasitic activity eventually kills the host, the result is a loss for both the developed world and China.
But that seems too optimistic. U.S. cybersecurity firms reported about one month after the State Visit that private U.S. companies were still being attacked by Chinese hackers operating with an unchanged methodology. And in mid-November, Bill Evanina, the Director of the Office of the U.S. National Counterintelligence Executive, had seen “no indication” that Chinese behavior had changed. So, in spite of a diplomatic blitz in favor of this norm against cybertheft, the Chinese leadership still treats its statements about refraining from cybertheft with the same cynicism displayed regarding promises not to militarize the South China Sea and never to pursue hegemony.
Examining China’s major reversal over the last three months closely, you can find a clue to why China has gone from chief denier of government-supported cybertheft to primary proponent of this norm. The switch was flipped when a leak from the White House about the threat of sanctions against Chinese entities and individuals for cybertheft under President Obama’s April 2015 Executive Order brought President Xi’s negotiator, Meng Jianzhu, to Washington to orchestrate President Xi’s acquiescence to the anti-cybertheft norm. Although unilateral economic sanctions, especially those that are very limited in scope, are thought to be more a way to send a message than to fundamentally alter a regime’s behavior, the reaction to merely the threat of sanctions was dramatic and immediate.
As I wrote in this space immediately following the State Visit, on cybertheft China has offered words in exchange for a change in action on the part of the U.S. government in a classic tactical gambit drawn directly from Sun Zi’s Art of War. But if the mere threat of sanctions resulted in the diplomatic reversal, why should the U.S. government suppose that limited sanctions would change behavior? Because such targeted actions appear to have worked with China on this issue in the last 18 months. When the U.S. government indicted five People’s Liberation Army (PLA) officers for cybertheft in May 2014, the diplomatic response from China was furious and seemed counterproductive: China withdrew from the State Department-led bilateral cyber dialogue and demanded the withdrawal of the indictments in most of its diplomatic engagements with U.S. officials. According to the Washington Post this week, however, behind the scenes, the PLA’s responded by dramatically reducing the level of economic espionage conducted by PLA-controlled actors. In other words, the indictments changed the behavior that has so frustrated U.S. policy makers.
Imposing the sanctions that the White House had contemplated in August might have resulted in a difficult diplomatic fallout. The upside, however, is that those sanctions also might have convinced the civilian hackers in China’s Ministry of State Security to curtail their cybertheft practices in the same way last year’s indictments convinced the PLA. It is not too late to learn this lesson. Now that China has agreed to appropriate norms of behavior in cyberspace without actually curtailing its malicious activities, the time has come to sanction Chinese entities and individuals responsible for cybertheft to get the change that will actually matter for the U.S. economy.
Last week on this blog, I suggested that the Chinese government had likely out-maneuvered the U.S. government on the question of cybertheft in advance of President Xi’s State Visit. Following meetings between Presidents Obama and Xi on Thursday and Friday of last week, the White House released a Fact Sheet affirming a common position on cybertheft as well as creating (another) high-level dialogue on cyber issues and the creation of a hotline for cyber-related incidents.
The bad news? Agreement to state a principle of behavior is still favoring talk over action. China’s acceptance of the norm is not inconsistent with Chinese protestations of innocence on cybertheft. Looked at in that light, the Administration may have paid a real price by agreeing not to sanction Chinese individuals and entities under the President’s April 2015 Executive Order (EO) in exchange for a commitment to a norm China insists it follows anyway.
The bottom line on whether to perceive this agreed language as progress or not depends on whether cybertheft is degrading American economic competitiveness by the second or cybertheft is one among a collection of cyber-related problems that can be resolved through deliberative international processes. The Obama Administration has consistently maintained that Chinese cybertheft represents an urgent national security problem as it degrades U.S. economic competitiveness and, undermines future U.S. growth. Accepting this premise, the U.S. government should have acted by announcing sanctions rather than settling for a statement that did not break new ground. If the White House had decided merely to delay sanctions until after the Xi visit, it would have been elevating diplomatic niceties over tough messaging; sanctions in October, however, would have gotten the job done. Chinese support of a norm against cybertheft without careful definition of the terms, a verification mechanism, or any penalties for violating those words does not.
A long-term goal of achieving agreement on norms of behavior in cyberspace presumes that the problem is not urgent and can be addressed best through an international process that will lead to some eventual multilateral agreement. (The President, in his remarks to The Business Roundtable earlier this month suggested both that the situation is urgent and that a drawn-out multilateral process provided the most effective way of achieving results, a logically inconsistent position.) If the long-term trumps the short-term, the results of getting Chinese buy-in on a norm of behavior proscribing cybertheft is a success on which the U.S. can build. The rhetoric from the Administration, however, does not support that conclusion.
Allow me to add one caveat: One commentator has suggested that sanctions will still happen and that the Administration only agreed to change the potential targets: “Expect them to come but to target companies not Chinese officials.” This information is not part of what the White House released following the visit so it is not possible to verify the extent to which the Administration agreed to defer santions. If sanctions will still happen, there is a stronger argument that this is a win-win outcome with actions as well as diplomatic words in the offing. I have a hard time believing that a Chinese envoy and a Chinese President agreed to make the statements on cybertheft in exchange for limited or unspecified forbearance related to sanctions. The proof should come in the next few weeks as we watch to see whether the U.S. Treasury imposes sanctions or not.
“The highest form of warfare is to out-think the enemy.”
“In all kinds of warfare, the direct approach is used for attack, but the oblique is what achieves victory.”
“If you do not wish to engage with the enemy, even though your defences are no more than a line in the ground, you can prevent them attacking by luring them away with a feint or a decoy.”
––Sun Zi, The Art of War
In advance of President Xi’s State Visit to Washington this week, White House officials in August previewed what was to be the first use of the powers created by an April Executive Order (EO) aimed at curbing unacceptable cyberactivity. The EO authorizes tough financial sanctions against those who benefit from a country’s illicit cyberactivities, for damaging critical infrastructure and computer networks in the United States and benefiting from the cyber-enabled theft of proprietary information, as these are the components of the U.S. private sector’s economic competitiveness.
At that time, the U.S. government was reeling from reports of the first of two attacks reliably attributed to the Chinese government; against the Office of Personnel Management and attacks involving sensitive health information at Anthem, attributed to Chinese government-directed attackers, and against Sony Pictures Entertainment, which involved physical damage achieved through cyber means and carried out through North Korea’s Internet link that passes through China. The EO added strength to an ongoing campaign by the President and his advisors either to change Chinese government behavior or hold the Chinese government to account for it.
Those White House officials left some ambiguity about the timing of sanctions relative to President Xi’s visit and whether sanctions would single out China or include other bad actors. They timed the leak well. Mere weeks before President Obama welcomed Xi to the White House it alerted the Chinese government to the embarrassing possibility that the sanctions would dominate the news around the visit. By leaving open the timing of sanctions, the White House provided the Chinese government with an opening to negotiate on those elements, sparing the Chinese leader the embarrassment of a sanctions announcement on the eve of the visit.
The Obama Administration, however, may not have prepared for the Chinese response very well. They should have re-read The Art of War.
The conversation between the United States and China on cyber has become an endless discordant loop since the beginning of the Obama Administration. The United States has complained that Chinese state-directed hackers have stolen commercially relevant information from U.S. firms; China has denied that such theft––or any inappropriate cyberactivity––has taken place. The U.S. government countered that denial by building a stronger and more detailed case against Chinese government conduct. In some instances, the private sector has also provided public evidence. Last year, in fact, the U.S. government indicted on charges related to their cyberactivities five Chinese officials (whom the U.S. will presumably prosecute should they present themselves in U.S. territory). Naming and shaming, the U.S. government has sought to convince China to come to the negotiating table and discuss how Chinese behavior should change.
This tactic has failed at the most rudimentary level: the Chinese government flatly denies conducting any form of inappropriate cyberactivity––a laughable contention, as nearly all states with capacity engage in some form of espionage in cyberspace––and blames U.S. networks for hosting the majority of illegal cyberactivities. More convincing evidence will not overcome China’s airy denials.
In spite of the absence of meaningful dialogue, the U.S. government has tried to expand the campaign to like-minded nations. To rally the international community against China’s bad cyberbehavior, the U.S. government earlier this year sought support at the United Nations (UN) for certain norms in cyberspace. But that move actually confused the issue. The norms tabled at the UN address obligations to refrain from damaging critical infrastructure and to provide assistance to countries that have suffered an attack; the U.S. government did not include a norm against cyberactivities aimed at stealing the sources of another country’s economic competitiveness. The effort at the UN, then, will result only in Chinese denials to a larger community; it has also distracted from the principal U.S. goal of minimizing cybertheft of the foundations for economic competitiveness.
The Chinese government seems to have absorbed the implicit shift in the U.S. UN submission away from cybertheft. According to media reports this week, U.S. and Chinese negotiators have agreed to some form of code of conduct related to the critical infrastructure-related norms to be announced as a deliverable of Xi’s visit. The Chinese government seems to have realized that the U.S. government might accept a general commitment to norms unrelated to cybertheft, combined with additional commitments to talk, in exchange for taking sanctions off the table. If the agreement discussed in the press is actually limited to norms unrelated to cybertheft, it would not constitute the progress that President Obama last week suggested would suspend U.S. consideration of sanction. In that case, the Chinese will have succeeded beyond any expectation. The United States is left with more words, further delayed action, and Chinese agreement that they will not engage in conduct… that they never acknowledged in the first place.
Would sanctions against Chinese individuals and entities have been a game changer in the ongoing battle over economic competitiveness? The record for unilateral U.S. sanctions changing bad behavior does not provide much reason to think it would, in and of itself, end Chinese cyberhacking. But sanctions would change the calculus for bad cyberactivities in ways that bilateral or international discussions cannot, by closing off valuable U.S. and multinational business and financial access.
The agreement that the two Presidents will make on Friday has to pass a very high bar to be acceptable: in exchange for avoiding sanctions and turning a potential embarrassment for President Xi’s visit into an opportunity for Xi to look like a statesman, the agreement must cover cybertheft and provide concrete means to verify those promises from the Chinese. If so, it may take some time to assess whether the agreement is more than words. Otherwise, President Xi has gotten a State Visit and avoided embarrassment. It will be far less clear what President Obama and the United States have achieved.
Adam Bobrow is the Founder and CEO of Foresight Resilience Strategies and a senior fellow with the GW Center for Cyber and Homeland Security.