More Questions About the USG Basis for Complaints about China’s Cyber Exploitations

By Jack Goldsmith
Thursday, May 30, 2013, 7:24 AM

I have written many posts about China's cyber exploitations that make two points (among others): (1) USG complaints about China’s cyber exploitations against USG databases (such as those in DOD) are hypocritical (and not likely to influence Beijing) since the USG is at least as aggressive against China’s government databases as China is against ours, and probably better at it; and (2) while the USG does not engage in espionage against private firms abroad to the same degree as our adversaries (and some of our allies), such espionage is widely practiced and does not violate international law, and our complaints seem to amount to the claim that the Chinese are not playing by the rules that suit the USG.

Against this background, and in light of Ellen Nakashima’s scary report on China’s cyber-intrusions into U.S. weapons design systems (the significance of which DOD has questioned), I highly recommend this piece by Michael Riley at Bloomberg/Businessweek, entitled How the U.S. Government Hacks the World.  The whole story is worth a read.  (For example, it quotes former DNI Mike McConnell to the effect that over 75% of the information in the President’s daily intelligence briefing comes “from government cyberspies”).  But I was especially interested to see the two points above articulated by General Michael Hayden, the former NSA and CIA Director:

Created in 1952 to intercept radio and other electronic transmissions—known as signals intelligence—the NSA now focuses much of its espionage resources on stealing what spies euphemistically call “electronic data at rest.” These are the secrets that lay inside the computer networks and hard drives of terrorists, rogue nations, and even nominally friendly governments. . . .

The key role NSA hackers play in intelligence gathering makes it difficult for Washington to pressure other nations—China in particular—to stop hacking U.S. companies to mine their databanks for product details and trade secrets. . . .

The Chinese response, essentially: Look who’s talking. “You go in there, you sit across from your counterpart and say, ‘You spy, we spy, but you just steal the wrong stuff.’ That’s a hard conversation,” says Michael Hayden, who headed the NSA, and later the CIA, under Bush. “States spying on states, I got that,” says Hayden, now a principal at the Chertoff Group, a Washington security consulting firm. “But this isn’t that competition. This is a nation-state attempting espionage on private corporations. That is not an even playing field.” . . .

The U.S. government doesn’t deny that it engages in cyber espionage. “You’re not waiting for someone to decide to turn information into electrons and photons and send it,” says Hayden. “You’re commuting to where the information is stored and extracting the information from the adversaries’ network. We are the best at doing it. Period.” The U.S. position is that some kinds of hacking are more acceptable than others—and the kind the NSA does is in keeping with unofficial, unspoken rules going back to the Cold War about what secrets are OK for one country to steal from another.  “China is doing stuff you’re not supposed to do,” says Jacob Olcott, a principal at Good Harbor Security Risk Management, a Washington firm that advises hacked companies.

Great stuff, which makes clear why the United States doesn't have a leg to stand on in complaining about China's infiltration of our government databases.  As for cyber exploitation of private firms in the United States, when Hayden complains about an uneven playing field in private cyber exploitation, and when Olcott says “China is doing stuff you’re not supposed to do,” I read: “China is engaged in cyber exploitation of our private firms that we don’t like and to an extent we would never contemplate, and it’s just not fair!”  This is basically what the USG position has been for a while.  The United States can whine all it wants.  But it seems rather pathetic, as do the supposedly “tough” sanctions that Washington has been “considering” for what seems like years, including publicly accusing China of cybercrimes (which always seems like a big step inside the government but which is a yawn to the outside world) and threatening “trade sanctions, diplomatic pressure, indictments of Chinese nationals in U.S. courts and cyber countermeasures—both attack and defense.”  I don’t think any of these threats except cyber countermeasures has any chance of being effective.  But there is an interesting question about what form such countermeasures might take, since I do not believe either domestic or international law would permit retaliatory cyber-attacks, and the USG is already engaged in extensive cyber exploitations, and has little to gain on the "private" side in China.  Chinese cyber exploitation of U.S. firms is a real conundrum about which I have complained a lot, but for which, I must confess, I don’t have great solutions.