Cybersecurity: Crime and Espionage

China and Cybertheft: Did Action Follow Words?

By Jack Goldsmith
Friday, March 18, 2016, 9:26 PM

I was very skeptical about last September’s US-China “agreement” in which China pledged that it would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”  President Obama seemed skeptical too.  During the press conference with China’s President Xi that announced the cyber agreement, Obama said: “What I’ve said to President Xi and what I say to the American people is the question now is, are words followed by actions.  And we will be watching carefully to make an assessment as to whether progress has been made in this area.” 

Acknowledging that I did not know what carrots or sticks the United States might have used in secret, I was skeptical of the “deal” for many reasons.  First, it was full of loopholes – what does “knowingly support” mean?; how to ascertain China’s “intent” to aid local firms when it might have so many other reasons for commercial theft?, etc.  The unclear agreement left much room for opportunistic action.  Second, I couldn’t fathom why China would back down from commercial theft practices worth (allegedly) hundreds of billions of dollars in the face of threatened (but never consummated) U.S. sanctions that at best would impose only a tiny cost compared to China’s gains.  Third, and relatedly, there was no other public evidence that the U.S. made the type of seriously threatening actions, or concessions in its own behavior, that might have induced China to give up its commercial theft practices.  

My skepticism did not wane, and my puzzlement grew, when DOJ's National Security Division Chief John Carlin gave a speech last December at Harvard in which he took extensive credit for China’s climb-down.  Carlin stated that “to make real progress” against the cyberthreat, “we must not only defend against and disrupt attacks [a term he used to include commercial cybertheft], but also deter them in the first place.  In other words, we must fundamentally change our adversaries’ cost-benefit analysis.”  I could not agree more.  But I didn’t see how the USG was changing anyone’s cost-benefit analysis.  Then Carlin explained that it was actually DOJ’s 2014 indictment of five Chinese military officers for commercial hacking and economic espionagean indictment that has no prospect of reaching trial because the defendants will never appear in the United States—that changed China’s mind and led to China to agree to the U.S. position on commercial cybertheft.  (A WP story a few days earlier made the same point, based on claims made by unattributed “current and former U.S. officials.”)  Carlin’s prepared remarks stated:         

For example, in May 2014, after a lengthy investigation, the department indicted five Chinese military officers by name for computer hacking, economic espionage and other offenses directed at American companies.  The 48-page indictment describes numerous and specific instances where uniformed officers of the PLA hacked into the computer systems of American nuclear power, metals and solar-products companies to steal trade secrets and sensitive, internal communications that could be used by Chinese companies to give them a commercial leg-up.

But the investigation, and the public charges it led to, have had a lasting impact.  Last spring, our indictment was met with indignant denials.  But a year later (and after rumors circulated that additional costs might be imposed), Chinese President Xi Jinping publicly declared, during his state visit in September, that, “China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.”  The United States and China committed that neither country’s government will conduct, or knowingly support, cyber-enabled theft of trade secrets or confidential business information with the intent of providing competitive advantage to companies or commercial sectors.  … What began with denials ended, at least for now, with a shift in international norms and a commitment from China to change its behavior. 

I was surprised by this claim, and I asked Carlin about the “mechanism” through which his indictment caused China to change it mind so sharply.  He answered (38:30 ff., here) that spies don’t like to be exposed, that the indictment showed that the United States could do attribution and would publish the results, and that attribution by the United States brought State-sponsored commercial spying to the attention of a perhaps-unaware Chinese leadership.  Carlin concluded by saying that the indictment, combined with last April’s Executive Order authorizing sanctions, “showed a determination…that we will keep raising the costs of stealing in this manner until it changes.”  I still didn’t get why the undoubted but relatively slight costs that the United States had imposed through these mechanisms would be enough to stop China from reaping the enormous benefits of commercial cybertheft.  But since Carlin was so confident that his indictment had achieved a “lasting impact” on China’s cybertheft, I assumed there must be something else going on behind the scenes.

That was three months ago.  Last month, DNI Clapper said that “Whether China’s commitment of last September moderates its economic espionage remains to be seen.”  And then on Wednesday, NSA Director Rogers suggested in testimony before the Emerging Threats and Capabilities Subcommittee of the House Armed Services Committee that China might not be living up to its pledge.  According to Bill Gertz, Rogers’ “prepared testimony” stated that “cyber operations from China are still targeting and exploiting U.S. government, defense industry, academic, and private computer networks.”  In the hearing video that I watched, Rogers included China in the list of nations that (12:20 on video) “steal intellectual property [and] citizens’ personal information.”  

Because China's pledge last fall was both narrow and vague, it is unclear whether these statements mean that China has broken its word.  We cannot tell from Rogers’ statement whether the cyber operations from China into private computer networks were conducted or knowingly supported by China’s government, or whether China’s theft of intellectual property was done with the “intent” to give Chinese firms a competitive advantage.  So while Rogers was suggestive, the public still can't tell for sure whether China followed its September words with actions. 

But if it turns out that China broke its pledge, don’t worry.  DOJ can bring another indictment to try to “rais[e] [China’s] costs of stealing in this manner until it changes.”