Cybersecurity: Crime and Espionage
The US Really Does Want to Constrain Commercial Espionage: Why Does Nobody Believe It?
At a recent speech I gave, I was annoyed to hear representatives of a European energy company express the concern that the National Security Agency is spying on them and giving information to American oil companies. There is clear public evidence to the contrary, but despite repeated denials, many Europeans continue to believe that the U.S. engages in commercial espionage, despite the September 2015 agreement between President’s Xi and Obama.
This agreement states:
that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
The United States actually lives by this rule. It really doesn’t do commercial espionage. Moreover, it actually wants to create an international norm under which that restraint is the norm. It’s an interesting and telling fact that the U.S. has such trouble getting other countries to believe it doesn’t spy for its companies.
The US-China agreement is not an agreement to stop spying, but to stop spying to assist one’s companies. This is a crucial point for clarifying the confused discussion as to whether China continues to hack or not hack American companies. It was also not an agreement to stop hacking. It was an agreement that government agencies will not to hack if the intent is to steal information to give advantage to a company. The carefully crafted language of the agreement shows that both countries will continue in espionage for political-military purposes and, in some instances, this will involve spying on the others’ companies. What they will not do (and so far China appears to be implementing the agreement) is spying to provide their own companies with commercial advantage.
The agreement by China may not only reflect concern over the risk of U.S. sanctions during the summit but larger Chinese interests in modernizing the PLA and tightening discipline and centralizing the tasking of intelligence collection. Since some of the commercial espionage involved freelance activity by the PLA (and others), Xi’s larger drive to increase the party’s control works in favor of the agreement. But this kind of entrepreneurial espionage is not a light switch that can be turned on or off at will.
The agreement language was specifically written to not catch conventional spying. It reflects U.S. policy on commercial espionage. The U.S. is very likely to honor this commitment not to engage in commercial espionage for several reasons. First, to do otherwise would legitimize China’s commercial espionage programs, something that is not in the U.S. interest. More importantly, the U.S. does not steal information to give to its companies, as a rule. That none of the documents released from the vast trove of material pilfered by Edward Snowden points to this kind of commercial espionage is indicative. Those who control the Snowden documents are eager to release anything that would harm the U.S., yet they have not yet produced an example of information being given to a U.S. company.
It is a standard negotiating tactic to propose that your opponent agree to something you already do; this avoids real concessions and certainly simplifies compliance. U.S. law penalizes economic espionage. This law on economic espionage is almost unique in the world. The 1996 Economic Espionage Act was written specifically to give the Justice Department greater authority to prosecute this kind of activity as a crime. It applies to both U.S. citizens (wherever they are located) and to foreign persons acting in the United States.
This is not to say that foreign companies are never targets of American espionage, but the purposes of this espionage is not to give commercial information to American companies. This differs from foreign practice. China is not the only country to have engaged in commercial espionage (although the scale of its programs dwarfs other nations’ efforts). What we know of American espionage against foreign companies (thanks to Snowden) is that the intent of the espionage against commercial targets is to support other American policies: non-proliferation, sanctions compliance, trade negotiations, foreign corrupt practices, and perhaps to gain insight into foreign military technologies. The U.S. as well as other nations who care about such things regard these as legitimate targets for spying—legitimate in the sense that this kind of espionage would be consistent with international law and practice. This spying supports foreign policy goals shared by many countries, in theory if not always in practice.
Under this approach, if a European or Asian company sells equipment to an Iranian nuclear program, it makes itself a legitimate target for espionage. The intent of such espionage is to understand what was being provided to Iran, not to help American companies build competing products. Corrupt practices are another legitimate target for espionage. Corruption in the form of bribes or kickbacks are not unknown in many countries, and few countries have anything similar to the U.S. Foreign Corrupt Practices Act, which criminalizes such behavior. For example, if a European manufacturer of military aircraft offered a Middle Eastern potentate an immense sum to select their aircraft, that company becomes a legitimate target for espionage. The same is true for a foreign company that pays politicians in other nations to gain influence at the behest of its government; this company is a legitimate target for espionage.
The U.S. may also engage in espionage against foreign companies in an attempt to learn about foreign military technologies and weapons systems, to gauge their capabilities and develop counter-measures. It is not alone in doing this; the U.S. defense industrial base is a favored target for many countries. But it does not appear that the U.S. takes foreign military technology to use to develop its own weapons. In part this may reflect a degree of hubris, the belief that American technology is superior to any foreign product. This belief in the superiority of American technology, justified or not, could also make commercial espionage generally unattractive to the U.S. In the past, the U.S. has reviewed whether it should change this policy of not engaging in commercial espionage, but it has apparently rejected any change on the grounds that little would be gained.
The U.S. provides intelligence to American companies to warn them of impending attacks or of foreign espionage efforts directed against them (which is a daily occurrence for American companies in some sectors, such as aerospace, defense, oil and gas, or high tech,). Spying to understand how foreign companies support the espionage activities of their own governments (not an unknown occurrence) also justifies espionage against them without crossing the line to becoming commercial espionage.
Moreover, espionage to gain economic information is not commercial espionage, in the U.S. view, and is legitimate since it focuses on political decisions. That said, the political risk of this kind of collection may be too high to justify it. The ratio of risk to return on economic espionage was always questionable. Generally speaking, economic intelligence collected by government agencies will always be of lesser value than what is available to commercial actors. The investment community has much more powerful incentives to know the actual situation in a particular market or country. The most valuable use of technology by an intelligence agency for economic purposes may well be an email or phone call to a friend in a financial center like Wall Street.
The reluctance to accept that the U.S. really does not engage in commercial espionage stems from a number of different factors. In some countries, there may be assumptions based on national practice, the reasoning being that since my government provides me with commercial intelligence, the American government must be doing the same. The general unhappiness about the dominance and practices of some American internet companies and their effect on privacy may also provide emotional reinforcement to the belief in American commercial espionage.
There is also a widespread assumption of an omnipresent and global American collection apparatus, leading to the conclusion that since the U.S. collects everything, this must include commercial intelligence. But the whole notion of mass surveillance is nonsense; most of what would be collected under such a system would be worthless, and looking at it would waste scarce resources. Paranoia is not a reasonable substitute for analysis. Some of the disbelief in American denials stems from the carefully tailored Snowden revelations, which were used to create a powerful but inaccurate narrative. In fact, collection is targeted on specific foreign policy and national security objectives and is not omnipresent.
The language in the Xi-Obama agreement was endorsed by the leaders of the G-20, the richest economies in the world. The G-20 Communique said:
we affirm that no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
The U.S. and China would not have made this commitment to the twenty most powerful countries if they did not intend to abide by it. The real issue is not whether the U.S. engages in commercial espionage to help its companies, but whether other countries’ behavior will change in light of this agreement, something that for a few of the G-20 countries will require significant changes in national policy and practice.
Agreement with other countries to refrain from engaging in any kind of spying is bold and risky, since the incentives for nations to spy are usually overwhelming. The usual arguments--that no one will honor an agreement, that everyone does this, and that the practice dates to time immemorial--are glib and deserve closer examination. Agreements to limit commercial espionage may be possible and, as the ability to attribute cyber incidents continues to improve, verifiable. These kinds of agreements have in the past been anathema to nations, but the global connectivity of the internet, which creates a new kind of propinquity and new kinds of dependencies, will require rethinking the value of agreement to constrain espionage.