James Lewis had an op-ed yesterday in the WP about “Five Myths About Chinese Hackers.” The fifth myth:
5. America spies on China, too, so what can we complain about?
Chinese officials portray their country as a victim of hacking. Meanwhile, some American scholars question whether the United States is in a position to criticize, since it also engages in cyber-espionage. “Perhaps the complaint is that the Chinese are doing better against our government networks than we are against theirs,” law professor Jack Goldsmith wrote. That misstates the issue.
The Internet, poorly secured and poorly governed, has been a tremendous boon for spying. Every major power has taken advantage of this, but there are unwritten rules that govern espionage, and China’s behavior is out of bounds. Where Beijing crosses the line is in economic espionage: stealing secrets from foreign companies to help its own. China also outmatches all other countries in the immense scale of its spying effort, and the United States is far from the only nation to have suffered.
The United States, by contrast, does not engage in economic espionage. As one Chinese official put it in recent talks at the Center for Strategic and International Studies: “In America, military espionage is heroic and economic espionage is a crime, but in China the line is not so clear.”
The United States and other countries need to make that line clearer and discourage China from crossing it.
There are several fundamental problems here.
First, it is not true that “unwritten rules” prohibit economic espionage. Economic espionage is expressly prohibited by U.S. domestic law, but is not prohibited by international law, written or unwritten, and it is widely practiced.
Second, it is not true that the Chinese are doing something that other countries don’t do (though it is true that they do it better and more extensively than most). A 2011 Report by the Office of the National Counterintelligence Executive made clear that in addition to economic espionage by China and Russia, “[c]ertain allies and other countries that enjoy broad access to US Government agencies and the private sector conduct economic espionage to acquire sensitive US information and technologies” (my emphasis). The report added (my emphasis): “Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT). Some of these states have advanced cyber capabilities.” To take an old example, according to a 1996 NRC Report on Cryptography Policy (p. 33), in the 1990s the Director of France’s Central Directorate for Domestic Intelligence noted that economic intelligence was “a field which is crucial to the world’s evolution” and that economic theft was a long-term French government policy.
Third, it is not true that “[t]he United States . . . does not engage in economic espionage.” In a 1991 essay (behind paywall), former CIA Director Stansfield Turner noted that “as we increase emphasis on securing economic intelligence, . . . we will have to spy on the more developed countries—our allies and friends with whom we compete economically.” Former CIA Director James Woolsey said in 2000 that the United States “steal[s] secrets with espionage, with communications, with reconnaissance satellites” from “foreign corporations and foreign government’s assistance to them in the economic area,” in three “main [i.e. probably not exclusive] areas”: (1) to understand how sanctions regimes are operating; (2) to monitor dangerous dual-use technologies in private hands; and (3) to learn about bribery practices. With regard to (3) the 1996 Aspin-Brown Report suggested that the USG spies on foreign firms to “identify situations abroad where U.S. commercial firms are being placed at a competitive disadvantage as a result of unscrupulous actions, e.g. bribery and ‘kickbacks.’” Presumably the United States also gathers intelligence from foreign private defense and intelligence firms. What the USG claims not to do, according to the Aspin-Brown Report, is to collect “proprietary information of foreign commercial firms to benefit private firms in the United States.” That exception is a narrow and carefully qualified. Moreover, the 1996 NRC Report (p.99) says: “According to the National Security Agency (NSA), the economic benefits of SIGINT contributions to U.S. industry taken as a whole have totaled tens of billions of dollars over the last several years.”
Fourth, U.S. public and foreign audiences don’t really know the precise USG policy on foreign economic espionage.
The policy is not written in law, and we only know what officials have told us in snippets over the years. Not surprisingly in light of the NSA’s reputation and the many news stories about USG cyber capabilities, the USG is widely viewed abroad to be a leader in economic espionage. The 2011 NCW Report notes that “the Germans view France and the United States as the primary perpetrators of economic espionage ‘among friends.’” It also notes that France’s Central Directorate for Domestic Intelligence has called China and the United States the leading “hackers” of French businesses.
Fifth, here is the real point: It is certainly true that China is doing something to us (stealing economic secrets to advantage its firms) that harms us and that we are not doing to it, at least not to nearly the same degree. But we are also doing things to China that its government views as direct attacks on the integrity of the Internet and on China’s sovereignty – most notably, taking direct and indirect steps to loosen the government’s strict control over its Internet (by promoting and supplying censorship-evasion technologies, and in other ways). Each nation is engaged in cyber operations against the other that serve its aims and interests and that aims to damage the others’ interests. The Chinese are at least as alarmed by the USG gambit to foster an open Internet as the USG is alarmed by Chinese economic cyber espionage. Indeed, the Chinese view cybersecurity not primarily in terms of theft of data, but rather in terms of various efforts to bring “openness” to the Internet. There is a fundamental clash of visions here – what Tim Wu and I once described as “struggles between nations and their national network ideologies.”
I hope it goes without saying that I am firmly on the side of the USG in this clash. But these issues are usually discussed in the U.S. press, by serious U.S. thinkers, and by USG officials in a one-sided way – as if the United States is only a victim of cyberoperations, and as if the USG is not aggressively using various types of cyberoperations to serve its national interests in ways that other countries find offensive, deeply unfair, and harmful to their security. When the rest of the world (including the Chinese) looks at the United States, it does not think of weakness in the cyber realm. Instead, it thinks about (as I recently wrote) the “redoubtable National Security Agency, its newly established Cyber Command, its documented successes in true cyberattacks, its publicly announced plans to enhance significantly its cyber capabilities (including offensive capabilities), its commitment to preemptive offensive measures to check serious cyber threats, and its aggressive policy of promoting online censorship-defeating tools.” It also thinks about the massive advantages of our industries, including, especially, the dominance of our IT-related industry (Apple, Google, Microsoft, Facebook, etc.), which is an important source of U.S. global economic and political power.
The reason this is important is that the one-sidedness of the dialogue in the United States is not conducive to progress on the global cybersecurity crisis that the USG seems, on balance, to be losing. Paraphrasing what I said several years ago, we are too much in the habit of focusing on the bad cyber things others are doing to us, and too little in the habit of focusing on what we do to others, and how others view our cyber operations, public and private. Serious progress on global cybersecurity will not occur until we acknowledge – first of all to ourselves – that in most respects we are (and are widely viewed as) dominant aggressors in cyberspace, and until we contemplate which of our cyber activities we might tamp down on in exchange for reciprocal concessions by our adversaries. Commentary in the United States too often proceeds on the assumption that the USG can have its cake and eat it too on cybersecurity. But that has not been true to date, and I see no reason why it ever will be.