On July 7, a grand jury in the Eastern District of Washington charged Li Xiaoyu and Dong Jiazhi—both citizens and residents of China—with running a decade-long global computer intrusion campaign, involving the theft of terabytes of intellectual property and confidential business information. For several reasons, this case was particularly relevant to European efforts to fight cybercrime and establish norms and rules for state behavior in cyberspace. Yet when the United States announced the indictment, its attempt to build a vocal alliance of like-minded countries flopped spectacularly.
Li and Dong’s case had a natural overlap with European cybercrime interests. First, while the two were in part working for their own financial gain , the indictment also outlines how they were purposefully supported and actively directed by the Chinese Ministry of State Security (MSS) to conduct targeted economic espionage abroad. This support from the MSS even encompassed the sharing of a zero-day exploit when Li ran into difficulties compromising a mail server of a Burmese human rights group. Indeed, the Justice Department’s evidence echoes in part the worries of Anne An, a senior security researcher at McAfee, who explained back in February that, “as the Chinese cybercriminal underground quickly expands its scope and sophistication, it is increasingly difficult to separate cybercrime from cyber espionage activity.”
On July 30, the European Council imposed for the first time ever EU cyber sanctions for attempted espionage (Russia’s close-hacking operation against the Organization for the Prohibition of Chemical Weapons), disruptive campaigns (the WannaCry and NotPetya ransomware attacks), and the theft of intellectual property and business information by a foreign government agency (China’s “Cloud Hopper” hacking campaign). While many analysts applauded this step, however, it will be significantly harder to leverage foreign policy instruments to curb an increase in non-state-sponsored Chinese cybercriminal campaigns hitting European targets. Similarly, it will not help much to remind Beijing to comply with international norms and fulfill its due diligence obligation under international law if China is providing a safe haven for Chinese cybercriminals in exchange for their work benefiting the state—as appears to be the case with Li and Dong.
Second, the indictment alleges that Li and Dong were busy exfiltrating 140 GB of data from a Virginia federal and defense contractor, along with 27 GB of data from a Texas engineering and technology firm—including business proposals and other documents concerning space and satellite applications—at the same time that President Obama and Chinese President Xi Jinping were negotiating the September 2015 agreement that stipulates that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property.” Though some hailed the Obama-Xi agreements as a stepping stone toward “cyber arms control,” the agreement was under severe pressure by late 2018 and eventually collapsed by early 2020—with former Homeland Security adviser Thomas Bossert noting on Twitter that “the 2015 Obama/Xi Cyber agreement is dead. The Chinese killed it.” The U.S. experience should be a lesson for all EU member states that guarantees on data security from Beijing, which Chancellor Angela Merkel tried to obtain back in February 2019 for allowing Huawei to participate in Germany’s 5G build-up, are bound to be violated immediately.
Third, the indictment also states that “more recently [Li and Dong] researched vulnerabilities in the networks of biotech and other firms publicly known for work on COVID-19 vaccines, treatments and testing technology.” It should come as no surprise that intelligence agencies everywhere are trying to gain access to research data on the novel coronavirus. But the notion that an MSS-directed cybercriminal campaign is most likely also targeting the health sector in the European Union flies in the face of High Representative Josep Borrell’s declaration in April 2020, which called upon all countries to “exercise due diligence and take appropriate actions against actors conducting [malicious cyber activities targeting the health care sector] from its territory.”
Finally, among the hundreds of victims worldwide, the indictment specifically mentions 12 companies located in Australia, Belgium, Germany, Lithuania, the Netherlands, South Korea, Sweden and the U.K. The charges against Li and Dong, in other words, clearly involved European interests.
Given the global nature and normative violations of Li and Dong’s campaign, it was not surprising that the U.S. indicated other nations would be weighing in. Assistant Attorney General John Demers noted in the Justice Department’s press conference on July 21 that the law enforcement cooperation in this case was “yet another example of how like-minded countries can stand together to counter malicious state-sponsored cyber activities”—and, he said, “we are appreciative of the statements that are going to be made by several of these countries in the coming hours.”
Yet few of the promised statements actually arrived. And the handful of countries that did weigh in were noticeably soft toward China. Australia released a statement that did not call out China by name but merely expressed “concern over reports of global malicious cyber intrusions” as detailed by the indictment and reiterated its “call to all countries to refrain from behaviour which violates their international commitments.” The Dutch Ministry of Foreign Affairs commented on Twitter that “the Netherlands joins international partners in condemning malicious cyber operations and theft of intellectual property by state and non-state actors”—but did not specifically name China. Meanwhile, the German Ministry of Foreign Affairs published a press release that condemned the hacks, quoting an unnamed spokesperson, while German Foreign Minister Heiko Maas remained silent the day after Demers’s announcement. Though Maas spoke with Chinese Foreign Minister Wang Yi on July 23, there has been no reporting that Maas mentioned the indictments during his call with Wang—even though the indictment alleges that Li and Dong stole 3 GBs of data from a German construction company and a German software engineering firm in 2017.
The strongest response to the indictment came from the United Kingdom. In a statement, Foreign Secretary Dominic Raab clearly identified China by name, expressed deep concern over Beijing’s behavior, and warned that “the U.K. will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account and deter further malicious activity around the world.” Ironically, Raab was meeting with Maas while the statement was published, even though Maas would remain quiet on the matter in the coming days.
No other country subsequently joined the Justice Department’s global call-out. Some of these silences are particularly loud. The Spanish government, for example, released its España Digital 2025 strategy on July 24—but there has been no reaction in Madrid to the indictment’s allegation stating that Li and Dong stole 900 GB of data from a Spanish electronics and defense firm in March 2020. Lithuania was busy commemorating the 80th anniversary of America’s refusal to recognize the Soviet Union’s annexation of the Baltic states—but amid this celebration of U.S.-Lithuanian friendship, the government stayed quiet on the fact that Li and Dong stole 38 GB of data from a Lithuanian gaming company back in April 2017. And the governments of Belgium and Sweden also did not heed the global call, bringing the number of EU countries that were both affected and remained silent up to four.
It is not every day that the U.S. Department of Justice unseals an indictment against state-sponsored Chinese hackers. So it is all the more concerning that, while law enforcement cooperation across the Atlantic is strengthening from case to case, foreign policy cooperation and coordination is walking in the opposite direction.
Nevertheless, the EU appears to be following America’s lead on sanctions. As of this writing, EU member states have made a conscious choice in Brussels to impose EU cyber sanctions on Russian, Chinese, and North Korean entities and individuals. Reporting indicates that almost all individuals and entities on the EU’s sanctions list have already been sanctioned by the U.S. government in previous years.
It is anyone’s best guess what the EU member states are trying to achieve by ignoring the Justice Department’s global call-out on the one hand, while emulating U.S. sanctions on the other. From Beijing, Moscow and even Pyongyang’s perspective, the EU’s foreign policy incertitude in cyberspace likely appears as a lack of European initiative, political resolve and proactive willingness to effectively and swiftly confront malicious cyber activities. This episode suggests that there is currently a lack of political cooperation on cybercrime at precisely the moment it is most needed—and, crucially, a lack of political will within Europe. EU cyber sanctions are not going to fill that void, but an increase in indictments, arrest warrants and potentially even leveraging of offensive cyber operations against cybercriminals abroad—as practiced by Australia’s Signals Directorate in April 2020—could turn the tide in the long run.