Cybersecurity: Crime and Espionage

The Chinese Hacking Indictments and the Frail “Norm” Against Commercial Espionage

By Jack Goldsmith, Robert D. Williams
Thursday, November 30, 2017, 1:00 PM

On Monday, the Justice Department unveiled an indictment of three Chinese nationals employed by Chinese cybersecurity firm Boyusec (博御信息), charging them with hacking into the computer systems of Moody’s Analytics, Siemens AG, and GPS developer Trimble Inc. to steal confidential business information “for the purpose of commercial advantage and private financial gain.”

A Pittsburgh grand jury reportedly returned the indictment in September, but prosecutors unsealed the charges this week after seeking assistance from the Chinese government to halt the Boyusec activities and receiving “no meaningful response,” according to a DOJ spokesperson.

The U.S. government and U.S. companies have long complained about rampant Chinese economic cyberespionage, and the Boyusec case has drawn comparisons to the May 2014 indictment of five members of China’s People’s Liberation Army (PLA) for similar acts of alleged cybertheft aimed at providing competitive advantages to Chinese companies. The PLA indictment presaged a September 2015 agreement between U.S. President Barack Obama and Chinese President Xi Jinping aiming to place limits on state-sponsored cyberespionage. According to outcome documents released by the U.S. and Chinese governments following Xi’s September 2015 state visit, the two sides agreed “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

This (non-legally-binding) diplomatic agreement was the culmination of Washington’s efforts to persuade Beijing to acknowledge a norm against cyber-enabled theft of IP and business secrets for “commercial” purposes. The norm seemed to have been bolstered when the U.S.-China linguistic formulation gained the support of G-20 leaders at their November 2015 summit. Reports indicate that the raw volume of Chinese IP and trade secret theft has in fact declined since the 2014 PLA indictment and the 2015 commercial espionage agreement, leading to a reduction in bilateral tensions on the issue. Some have cited this as evidence that China is “complying” with 2015 cyber agreement. But there have always been questions about the norm’s robustness—about whether any reduction in Chinese cybertheft was motivated, and limited by, Xi’s efforts to clamp down on corruption in China; and about how much and what types of cybertheft its ambiguous terms (“knowingly support cyber-enabled theft … with the intent of providing competitive advantages”) actually ruled out.

This week’s Chinese hacking indictment calls into further question the robustness of the commercial espionage norm. Boyusec is ostensibly a private firm, but multiple analyses have exposed its links to China’s Ministry of State Security. The indictment covers alleged conduct through May 2017, so at least some of what is alleged in the indictment took place after the September 2015 Obama-Xi agreement. And the terms of the 2015 cyber agreement echo throughout DOJ’s indictment. Prosecutors went out of their way to emphasize that the defendants acted “for the purpose of commercial advantage and private financial gain.” The indictment delineates the commercial (nongovernmental) sectors serviced by each of the three targeted U.S. firms, noting for example that Trimble’s GPS technology targeted by the hackers “had no military applications.” (It would be interesting to know whether other technology with potential dual-use applications was also targeted but left unmentioned in the indictment.) The indictment also notes that Boyusec “purported to be a [private] Chinese cybersecurity firm” (emphasis added).

The facts of the case thus implicate the blurry line between state and non-state actors and between “national security” and “commercial” purposes. And they highlight how especially blurry that line is in the Chinese context. The indictment’s view of what constitutes a legitimate national security purpose sits in tension with China’s expansive official conception of national security. President Xi Jinping has emphasized the need for Chinese Communist Party (CCP) and government officials to embrace a comprehensive national security perspective that incorporates “political, economic, territorial, social and cyber security.” Similarly, China’s 2015 National Security Law—adopted less than three months prior to the 2015 cyber agreement—explicitly contemplates economic security. On these terms, virtually any objective the CCP might determine to be within the realm of national interests—including economic interests—could qualify in principle as a national security objective.

The Boyusec indictment thus suggests that China is either violating the 2015 deal or exploiting its ambiguities and thus exposing the norm against commercial cybertheft as weak. Indeed, despite their joint statement in September 2015, it is not at all clear that the United States and China ever agreed on how to understand the meaning of “the intent of providing competitive advantages to companies or commercial sectors.” The two countries have differing political-economic systems and differing conceptions of national security; and they appear to have very different understandings of the deeply ambiguous 2015 agreement.