Cybersecurity: Crime and Espionage

More Harmful Public Hand-Wringing on Possible Sanctions Against China for Cyber Theft

By Jack Goldsmith
Monday, August 31, 2015, 5:45 AM

“The Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cyber theft of valuable U.S. trade secrets,” reports Ellen Nakashima’s in the Post. Nakashima says that the USG “has not yet decided whether to issue these sanctions, but a final call is expected soon—perhaps even within the next two weeks, according to several administration officials, who spoke on condition of anonymity to discuss internal deliberations.”

Might the Obama administration really impose “unprecedented economic sanctions” against China just as China’s economy tanks, and on the eve of a State visit by Xi Jinping? Or is the real news here that the administration has still not yet decided what to do? The latter, I suspect. I am skeptical that we will see anything more than symbolic or nominal sanctions, if that. For years the administration has considered and threatened sanctions against China for its cybertheft. But little if anything ever happens.

Over six years ago, President Obama announced that his administration would ramp up USG efforts against cyber intrusions into public and private networks in the United States. Three and a half years ago, Siobhan Gorman wrote in the WSJ that the Obama administration “is considering a raft of options to more aggressively confront China over cyberspying.” Gorman added: “Options include trade sanctions, diplomatic pressure, indictments of Chinese nationals in U.S. courts and cyber countermeasures—both attack and defense.” She also noted that sanctions were “likely not imminent.” Indeed.

Eighteen months ago the administration worked up the courage to indict Chinese military officers for cybertheft. The NYT noted at the time that the indictment “was almost certainly symbolic since there is virtually no chance that the Chinese would turn over the five People’s Liberation Army members named in the indictment.” (I tried to put a slightly better face on it.) Many stories soon noted that the USG and US firms worried about the impact of China’s retaliation in response to the symbolic act. As of today, no Chinese military officers are in the dock.

In March of this year, USG officials bragged to Nakashima that “the financial sanctions imposed against North Korean officials following the [Sony] attack and the indictments last year against five Chinese military officials who were accused of stealing corporate secrets from U.S. companies show greater resolve to hold adversaries accountable.” In historical context, this claim was laughable.

Two weeks later, Nakashima wrote:

President Obama on Wednesday signed an executive order establishing the first sanctions program to allow the administration to impose penalties on individuals overseas who engage in destructive attacks or commercial espionage in cyberspace.

In the works for two years, the order declares “significant malicious cyber-enabled activities” a “national emergency” and enables the treasury secretary to target foreign individuals and entities that take part in the illicit cyberactivity for sanctions that could include freezing their financial assets and barring commercial transactions with them.

A senior administration official told Nakashima that “the new order puts people on notice ‘that we’re not going to just stand by while these threats grow.’” Again, laughable.

A month ago David Sanger reported that the administration “has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict.” He added:

But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States — to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries.

That does not mean a response will happen anytime soon — or be obvious when it does. The White House could determine that the downsides of any meaningful, yet proportionate, retaliation outweigh the benefits, or will lead to retaliation on American firms or individuals doing work in China. President Obama, clearly seeking leverage, has asked his staff to come up with a more creative set of responses.

In other words, more public equivocation.

And then yesterday Nakashima reports that the U.S. government “has not yet decided whether to issue” the supposedly unprecedented sanctions it has developed for China, and notes that “a final call is expected soon.”

As I have explained before, figuring out how to sanction China for its cyber intrusions is hard because (among other reasons) (i) the USG cannot coherently sanction China for its intrusions into US public sector (DOD, OPM, etc.) networks since the USG is at least as aggressive in China’s government networks, and (ii) the USG cannot respond effectively to China’s cyber intrusions in the private sector because US firms and the US economy have more to lose than gain (or at least a whole lot to lose) from escalation—especially now, given China’s suddenly precarious economic situation.

But even if sanctions themselves are hard to figure out, the public hand-wringing about whether and how to sanction China is harmful. It is quite possible that more is happening in secret. “One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” a senior administration official in an “aha” moment told Sanger last month. One certainly hopes the USG is doing more in secret than in public to deter China’s cybertheft. Moreover, one can never know what cross-cutting machinations by USG officials lie behind the mostly anonymous leaks that undergird the years of stories about indecisiveness.

Still, the aggregate effect of public stories about the administration's persistent inability to do come up with a serious response to China’s cyber intrusions is, I think, devastating to our public and private security. As I wrote earlier this month:

A nation cannot establish any form of deterrence when the world sees that it is undecided about what to do. Any retaliation now, after all the public uncertainty about how to proceed, will hardly establish a credible deterrence policy; and the fact that the USG is [as Sanger reported] considering "symbolic" responses shows just how unserious it is about deterrence. The failure to have a credible deterrence policy has repercussions far beyond the Chinese to other State and non-State parties.

This last sentence, I think, is key. If we have been secretly sanctioning China the sanctions have not been working against China. And the public fumbling and vacillation in the USG’s response to China only encourages the third parties (public and private) who would also infiltrate USG public and private networks.