Cybersecurity and Deterrence

The Failure of the United States’ Chinese-Hacking Indictment Strategy

By Jack Goldsmith, Robert D. Williams
Friday, December 28, 2018, 9:00 AM

Just before Christmas, the U.S. Department of Justice unsealed an indictment against two Chinese nationals who allegedly conducted a twelve-year “global campaign[] of computer intrusions” to steal sensitive intellectual property and related confidential business information from firms in a dozen states and from the U.S. government. According to the indictment, the defendants conducted these acts as part of the APT10 hacking group “in association with” the Chinese Ministry of State Security.

This is only the latest round of indictments against Chinese nationals for computer hacking in the United States. The first one occurred in May 2014, when the Justice Department indicted five People’s Liberation Army (PLA) officers on economic espionage charges. Next, in November 2017, the department unveiled an indictment of three Chinese nationals employed by a Chinese cybersecurity firm for cybertheft of confidential business information from several firms after receiving “no meaningful response” for assistance from the Chinese government. In October of this year, the Justice Department unsealed an indictment against two Chinese intelligence officers for cybertheft of intellectual property and business secrets from thirteen U.S. firms. And on Nov. 1, the department charged a Chinese state-owned company and three individuals with stealing trade secrets from American chipmaker Micron. 

The cyber indictment strategy is a central element of the United States’ response to the ravages of theft and destruction by China that it has suffered in the cyber realm in the last decade. Is the indictment strategy working? It is hard to answer this question with certainty, because it is not clear how that strategy might be working in tandem with broader trade measures and with secret cyber operations. But viewed narrowly, on the basis of the public record in light of its publicly stated aims, the indictment strategy appears to be a magnificent failure.

***

First consider deterrence, an oft-stated aim of such indictments. The indictments rarely result in prosecution but do expose the alleged wrongdoers publicly, prevent them from traveling and perhaps embarrass them in certain circles. These costs are not nothing; would-be state-sponsored cyber-intruders and their principals surely take them into account.  But it has always been unclear how these relatively miniscule costs are supposed to influence Chinese macro-decisionmaking when the benefits of the cyber-intrusions by the Chinese—untold billions of dollars in commercial benefits, plus a massive reticulate database of information on American citizens with unending intelligence and other benefits—are so huge.

Nonetheless, many were optimistic that the indictment strategy would work. The initial 2014 indictment was later credited, at least in part, with influencing China’s President Xi Jinping to agree with President Obama, in September 2015, that China would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Many commentators believed this legally non-binding agreement established a norm that caused China to tamp down on its cybertheft inside the United States. “The indictments had an amazing effect in China, more than we could have hoped for,” said James A. Lewis in November 2015, capturing conventional wisdom. And there was indeed, according to many sources, a tamp-down in the volume of state-sponsored cybertheft from China in the years after the Obama-Xi agreement. 

But state-sponsored commercial cybertheft from China never came close to ceasing, as the Xi-Obama deal requires. Indeed, several criminal incidents detailed in the 2017 and 2018 indictments occurred after Xi’s 2015 pledge, as did (for example) parts of the China hack of Marriott, which vacuumed over three hundred million passport numbers among other valuable information. It is now better understood that the apparent slowdown in China’s cybertheft after the 2014 agreement was more likely due to two factors: (1) China’s hackers grew more operationally sophisticated and began to hide their tracks (or their connections to state entities) better; and (2) Xi’s centralization reforms and anti-corruption campaign cracked down on unauthorized cybertheft freelancing. Moreover, for whatever reason—a ramp-up by China, or better detection by the United States, or both—the U.S. government has been reporting that in the last year, China’s commercial theft inside the United States has gone full throttle. In light of the continuing raft of Chinese commercial cybertheft after 2014, these two factors suggest that the 2014 deal didn’t do much.  As a U.S. Trade Representative investigation concluded almost a year ago, “the evidence indicates that cyber intrusions into U.S. commercial networks in line with Chinese industrial policy goals continue.”

With these developments in mind, it is hard not to conclude that the Justice Department’s deterrence-by-indictment efforts have failed. And the scale of the failure is large. The head of the FBI’s counterintelligence division testified last month that China’s “economic aggression, including its relentless theft of U.S. assets, is positioning [it] to supplant [the United States] as the world’s superpower.”

Nor has the indictment strategy worked to serve other aims. One such aim is to establish a norm against state-sponsored commercial cybertheft to help national firms. The continuance of massive theft by China and other countries with little penalty shows that the norm simply does not exist. 

Another aim of the indictment strategy is to demonstrate that the U.S. government can burrow deeply into foreign intelligence services and related foreign activities and pick out individuals and their activities with extraordinary precision. Such public attribution might have a minor deterrent effect; it can be scary to know that the United States can watch anything. It might also help generate a broader public understanding about Chinese hacking in the hope of galvanizing support among U.S. allies and the public for a diplomatic push against China. But these gains to the United States of attribution are, again, offset by the massive benefits reaped on the other side. Also, showing off the fruits of U.S. surveillance capacities in this way must—at least at the margins, if not more deeply—compromise those capacities.

Public attribution via indictments and other mechanisms without a material response also has another underappreciated adverse impact. When the main public response to cybertheft that has reached crisis proportions is to identify the perpetrators but not punish them, the main signal to adversaries (especially third parties who are watching) is that the United States is extraordinarily defenseless. As one of us once wrote:

The publication of the many losses [due to cybertheft], followed by the invariably weak or nonexistent public response, demonstrates credibly that U.S. defenses are poor and that the U.S. government is either unable or unwilling to retaliate even in the face of massive cyber losses. This combination of events thus emboldens adversaries and weakens deterrence. Even if the United States is robustly engaging in retaliatory covert or clandestine responses, those responses cannot contribute to deterrence against the many third parties who are watching, and indeed in context detracts from it. … Unless a nation is able to effectively redress a cyber intrusion, it can be harmful or self-defeating to publicize it, since public knowledge of loss and the failure to respond effectively invite more attacks.

To get a sense of the problem, imagine a series of physical thefts inside the United States amounting to billions of dollars of losses, to which the government proudly responds by indicting a small number of the perpetrators and prosecuting few if any of them. Such a strategy would embarrass the government and invite more criminal activity.  Something just like that appears to be going on in response to the U.S. indictment strategy, at least if it is considered alone.

***

To acknowledge the failure of the U.S. indictment strategy on its own terms is not to discount the complexity of the challenge. American officials charged with determining how to respond to rampant cybertheft face very difficult foreign policy tradeoffs. And they are deploying more forceful tools than mere indictments to meet the China cybertheft threat.

One more forceful tool the United States could use against China is meaningful economic sanctions on the perpetrators and beneficiaries of commercial cybertheft. The U.S. Treasury has had sanctions regulations in place for “malicious cyber-enabled activities” since April 2015. For over three years, the United States has threatened to deploy these sanctions against Chinese firms and persons, and it has already done so in connection with cyber activity by Iran, North Korea, and Russia (including sanctions against a Chinese research unit in connection with a sanctions regime against Russia). And yet despite continuing complaints and threats, the U.S. government has not yet pulled the trigger and issued economic sanctions against China in response to its massive commercial cybertheft. 

Aside from the difficulty of tailoring such sanctions to effectively deter those most responsible, deploying the sanctions would risk inviting retaliation against U.S. multinational firms that are vitally dependent on access to China’s markets. This is particularly salient in the Chinese context, as Beijing historically has not been shy about geopolitically motivated economic retaliation against foreign companies operating in China. Indeed, it appears that concerns about retaliation by China may have driven the U.S. government’s decision not to couple the latest Justice Department indictments with more aggressive measures. According to the Washington Post, the Trump administration had considered imposing financial sanctions on Chinese entities implicated in the hack, but that proposal was blocked by Treasury Secretary Steven Mnuchin over fear of derailing the ongoing U.S.-China trade talks.

It is possible that the latest exercise of restraint was a tactical decision in a broader initiative. The United States might have kept the threat of narrowly tailored sanctions for cybertheft in its pocket as leverage while Washington tries to negotiate major concessions from Beijing in the 90-day window of negotiations Trump and Xi agreed to at the G20 summit. Indeed, those negotiations are in part about China’s theft of U.S. intellectual property (IP) secrets. President Trump and his advisors have often cited such theft as one reason for the trade sanctions, and the Office of the U.S. Trade Representative’s Section 301 report on Chinese economic practices makes clear that IP theft is a core tension driving the ongoing U.S.-China trade conflict. Viewed this way, the trade war is, at least in part, a very robust means of sanctioning China, even if the “sanctions” in question (unlike the indictments, and the cyber sanctions addressed to activity from other countries) are not specifically tied to particular events of IP theft.

But if the existing tariffs are in significant part about IP, that message has been muddled by Trump’s persistent focus on the bilateral trade deficit and by the application of the tariffs to a broader set of U.S. concerns about Chinese industrial policies and barriers to market access for U.S. firms. These broader issues dilute the connection between the blunt instrument of tariffs and the specific threat of cybertheft.

It is certainly possible that a grand bargain on U.S.-China trade issues—including industrial policies and market access—will contain substantial elements addressing cyber-enabled intellectual property theft. This prospect raises an additional puzzle: When it comes to cybertheft, what assurances can China realistically provide to the United States that would be more explicit or enforceable than Xi’s 2015 commitment to refrain from state-sponsored hacking for commercial purposes? Given the enduring difference in political systems between the United States and China, it is an open question how much of China’s resistance to preferred U.S. norms is baked into the Chinese system and how much can be dialed back without sacrificing Chinese leaders’ perceptions of their core interests. This fundamental issue applies as much to norms against economic espionage as to norms against market-distortive industrial policies, and provides yet another reason to think Washington’s indictment strategy is unlikely to alter Beijing’s macro calculus.

It is also possible that the indictment strategy may be working in imperceptible ways in conjunction with the United States’ new offensive posture in cyberspace. The unclassified summary of the Department of Defense’s 2018 Cyber Strategy pledges to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” This new strategic turn of phrase may signal an effort to supplement “deterrence” with “disruption”—including, in principle at least, U.S. government disruption inside China of the sources of malicious cyber activity against private-sector targets inside the United States. (It is perhaps notable that many of the companies targeted in the APT10 hack fall within what the U.S. government has deemed “critical infrastructure” sectors.) With the Trump administration’s recent loosening of the rules governing U.S. cyber operations, it is possible that some form of “forward defense” against state-sponsored cybertheft is already in the works.

There is no publicly available evidence about the extent to which the U.S. government has been successful in disrupting malicious cyber actors “at the source.” If such disruption has been happening entirely out of the public eye, the near-daily reports of state-sponsored hacking against U.S. interests only magnify questions about the effectiveness of U.S. efforts. Additionally, a more disruptive offensive posture risks retaliation just as sanctions do. It remains unclear whether the escalatory risks of a disruption strategy will ultimately play more to Washington’s favor or to those of its adversaries. And it is puzzling what the indictment strategy—which long predates this new Defense Department policy—might add to these more aggressive efforts at disruption.

The bottom line is that United States continues to be asymmetrically vulnerable to cybersecurity threats against private-sector companies on which U.S. economic and national security depend. By and large, the private sector has not been incentivized to invest in measures sufficient to prevent major compromises of intellectual property and trade secrets. And U.S. commitments to free speech, privacy and limitations on domestic government surveillance make it difficult for the U.S. government to identify, prevent and respond to malicious cyber operations. These domestic issues add to the geopolitical complexities that have paralyzed the U.S. government from responding more vigorously, leaving the country with a series of high-profile criminal indictments that have achieved no discernibly positive effects and that might, on balance, be self-defeating.