September 30, 2015
In recent years stories of cyber espionage have become common in the news. Experts debate the actual economic impact of cyber espionage, but seem to be convinced that it is one of the greatest threats to U.S. economic security. As its economy has stagnated and it seeks to retain a competitive edge, China is often identified as a major impetus for commercial cyber espionage. For example, in March 2012, Tze Chao, a former DuPont employee, pleaded guilty to conspiracy to commit cyber espionage. In his plea, he admitted to passing trade secrets related to DuPont’s proprietary blend of titanium dioxide (TiO2) to companies he knew to be controlled by the government of the People’s Republic of China (PRC) over his a 36-year career with DuPont. Moreover, he admitted that he passed the information as a result of a desire of the PRC to obtain the technology from western companies.
The U.S. is working to find ways to protect itself from outside cyber attacks. In May 2014, the U.S. indicted five Chinese nationals, including members of the Chinese military, in China, alleging that the defendants had conspired to hack into the computers of U.S. businesses to steal trade secrets and other sensitive information that would provide Chinese companies a competitive edge. Domestic criminal statutes may have little practical effect, but they set the stage for international pressure on China to take action. For example, in the days leading up to the highly anticipated September visit of President Xi Jinping, National security advisor Susan Rice highlighted the impact of China’s cyber spying against American companies, saying that the spying “isn’t a mild irritation… It puts enormous strain on our bilateral relations and it is a critical factor in determining the future trajectory of U.S.-China ties.” “Cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation and it needs to stop,” Rice said.
Despite evidence and accusations to the contrary, President Xi recently told the Wall Street Journal that “[t]he Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way. Cybertheft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offenses and should be punished according to law and relevant international conventions. China and the United States share common concerns on cybersecurity. We are ready to strengthen cooperation with the U.S. side on this issue.”
Ostensibly, China has taken steps to implement both a domestic and international program to combat cyber crimes. In July, China passed cyber security legislation which requires that Chinese Internet providers store data collected within China, in China. This gives the Chinese government what would seem to be exclusive dominion over the information under current regulatory schemes. The bill is designed to allow the government to take all necessary steps to “safeguard cyberspace sovereignty and national security” from the threat of cyber attack, cybercrime and the spread of “harmful” information online. The sweeping powers granted by the legislation should, in theory, enable the Chinese government to prosecute cyber offenders domestically as alluded to by President Xi. However, some in the international community are skeptical of the move, criticizing it as a step in the wrong direction. The law is aimed at protecting domestic users from incursions into their network, but also gives the government unprecedented access to the personal and business information of its citizens. The law seeks to regulate “critical information infrastructure” by not just protecting it from cyber attack but also allowing stricter enforcement of the type of censorship that groups such as Human Rights Watch have denounced for many years.
Despite concerns with China’s domestic legislation, the U.S. government’s attention is on cyber issues, including the challenges of international espionage. During President Xi’s first stop in Seattle in September, he met technology industry leaders at a banquet that preceded his visit with U.S. officials in Washington. President Xi told the audience “commercial cyber theft and hacking against government networks are crimes that must be punished in accordance with the law and relevant international treaties… The Chinese government will not… engage in commercial theft or encourage or support such attempts by anyone.” He indicated China’s willingness to engage in dialogue with the U.S. regarding cooperation on cyber crime.
President Xi came through on his promise during his meeting with President Obama on September 25. While no sweeping agreement was anticipated, in no small part because the U.S. and China cannot even agree on what portions of international law might govern cyber crimes, the two presidents indicated that they had reached a “common understanding” on combating cyber espionage. Both agreed that neither government would knowingly support the theft of corporate secrets or business information.
Many saw the sides reaching a common understanding as a start to an international dialogue on cyber espionage. However, while the two countries acknowledged the existence of a problem, neither seemed confident that a solution, or even cooperation, was in the foreseeable future. President Obama concluded his statement by asking, “are words followed by actions?” He also threatened sanctions against cyber criminals. President Xi urged the U.S. to address the problem through bilateral agreements and to not “politicize the issues.”
Even more troubling than the lack of agreement on corporate espionage is the absence of any discussion of government cyber spying for the purposes of gathering intelligence. In April 2015, the U.S. Office of Personnel Management (OPM) discovered that the personal data – including addresses, dates of birth, and Social Security numbers – of 4.2 million Federal government employees was compromised by a cyber attack. This, however, was only the beginning. OPM announced in June 2015 that during the investigation of the massive data leak, it found that sensitive information pertaining to as many as 21.5 million individuals was compromised. In addition, OPM announced that the data compromised was more extensive than it originally thought – the compromised data included comprehensive background investigations of many employees. Further, on September 22, OPM announced that the fingerprint information of 5.6 million federal employees had been stolen. OPM’s estimation of the extent of the breach grows as each new data set is revealed. The economic threat is estimated to be in the billions, while national security experts estimate that the threat to national security could linger for up to 40 years. China has denied any involvement in the attacks.
The U.S. has been careful to not officially blame China for the OPM breach, though news reports site unofficial sources and government investigators as pointing to China as the leading suspect. In practice, the U.S. is reluctant to blame states openly for cyber attack because, as cases such as Tze, the outstanding Chinese indictments, and the OPM breach all show, it is difficult to overcome the problem of attribution. While Tze admitted his own guilt and voluntarily implicated the Chinese government, the remaining cases will be more difficult to bring to justice because it is extremely difficult to trace an attack to an individual, and maybe even harder to a state. The U.S. has not admitted defeat, however. Discussing the 2014 indictments, Assistant Attorney General for National Security John Carlin stated that “State actors engaged in cyber espionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag.”
China and the U.S. agree that cyber espionage is a threat that no state should tolerate. But neither country seems able to move forward in a way that meaningfully combats the crime. Despite the legal and diplomatic challenges involved, the cost of cyber espionage in all its forms is too great for us to be content with “common understandings.” The Department of Justice and President Obama should use all of the tools at their disposal in response. Deterrence of state actors will require more than a few indictments that are unlikely to end in successful prosecutions. Concrete action – such as following through on the sanctions against cyber criminals threatened in the President’s September 25 statement – is required to send a message to the international community that the time to set cyber norms is now.