Is This the Best Response to China’s Cyber-Attacks? 

A ChinaFile Conversation

On Monday, the United States Attorney General Eric Holder accused China of hacking American industrial giants such as U.S. Steel and Westinghouse Electric, making unprecedented criminal charges of cyper-espionage against Chinese military officials. Almost immediately, the Chinese Ministry of Foreign Affairs said Beijing had canceled U.S.-China Internet Working Group activities and demanded that the U.S. rescind the charges that it said were based on "concocted" claims. Will the U.S. succeed?  Is Washington opening itself up to more criticism for its own electronic surveillance? What are the charges likely to do to U.S.-China Relations overall?

Comments

I assume China is guilty as charged—that the five accused PLA officers or others in their demographic committed cyber espionage against American firms to steal technology and gain other competitive advantages. I assume there were more than five people involved.

It’s a serious problem and China denies its existence. This makes bilateral discussion of the matter a bit one-sided. When China refuses to engage seriously on an issue, either through denial in the face of strong evidence or unevidenced assertion of its own positions, the United States increasingly resorts to name-and-shame tactics. In the South China Sea, China’s “I Am That I Am” defense of its territorial claims is pushing the U.S. toward ever bolder rejection of the nine-dash line: You am not either.

Against this background, and under American law, the Department of Justice’s indictments are justified. But they won’t be effective and they may prove counter-productive.

No one expects China’s leaders to extradite the officers or to confess that they were following orders from the party they serve. What we should expect—and what we got from China right after Attorney General Holder’s announcement—is stronger denials, tit-for-tat accusations, and suspension of the Sino-U.S. Cyber Working Group’s interactions. This response surely figured into USG calculations. We went ahead with the indictments, probably in order to demonstrate our commitment to protecting American businesses and for lack of a better idea.

Name-and-shame is, after all, a tactic of last resort—a throwing up of hands. It’s an understandable reaction but it doesn’t work with China, at least in the short or medium terms.

Not only will the indictments not solve the cyber espionage problem, naming Chinese officers as international criminals may harm the military-to-military relationship, which has improved lately. China’s top general was in Washington last week at the invitation of the U.S. Chairman of the Joint Chiefs of Staff and China will, for the first time, participate in the Rim of the Pacific military exercises hosted by the United States this summer. Exchanges such as these can decrease the likelihood of accidental conflict and improve joint crisis management. It would be a blow to the relationship if China cancelled military exchanges in response to the indictments.

The American case against China would be stronger if other offended nations stood beside us. The NSA’s hacking programs make that unlikely, of course. They also make American moralizing on distinctions between espionage for security’s sake and espionage for economic advantage unconvincing to many Chinese. In China’s political and popular narrative, the humiliations China suffered at foreign hands beginning in the mid-19th Century mean that the moral balance will be tilted in China’s favor for some time between the foreseeable future and forever. China is always the injured party; that is as central to China’s virtue narrative as Holder’s statement that “The success of American companies since our nation’s founding has been a result of hard work and fair play by our citizens” is to that of the United States. China’s State-Owned Enterprises, furthermore, play a role in China’s national security as profit centers, bearers of prestige, and as channels for the introduction of technology. Their prosperity is essential to state security from the Chinese Communist Party’s point of view.

I don’t mean to imply that America is wrong about the facts in this case. I do wonder if our policy is wrong-headed. If our goal is to alleviate the problem, making China lose face (I know, I know—they did it to themselves) is not the way to go. China cares more about face than we do and will fight harder to save it. Bilateral and multilateral consultation will yield better results over an arduous, imperfect long run. The best we’ve got is unsatisfactory, but it’s still the best we’ve got.

I think it’s a terrible action taken by the U.S. Justice Department to indict five Chinese military officials for alleged cyber attacks, which the Chinese have totally denied.

First, such action has destroyed the mood for bilateral talks on cyber security. So it’s not a surprise that the Chinese foreign ministry would immediately react by cancelling the working group meeting. And the U.S. should be held responsible for damaging such a mechanism the two governments worked hard to set up last year.

Second, the U.S. action could invite Chinese retaliation, such as indicting U.S. officials responsible for the widespread NSA hacking into Chinese government, military and commercial entities. And we all know that tit-for-tat leads to nowhere but only escalation. But I am curious to see who might be on the list.

Third, indicting five military officials seems to suggest that what has been alleged by the U.S. falls in the military and national security domain. And if that is true, it is something that the U.S. has been doing more aggressively than other nations.

Fourth and definitely the most important one, the U.S. is now known to be the largest cyber attacker in the world, after the Edward Snowden revelation. So the US has completely lost its moral high ground to teach others what should be the norms or rules of the road in cyber space. It should work with others. The U.S. only claims what it does not do, which I don’t believe. But the U.S. has never said what it does given the huge capacity it has in cyberspace.

I am pretty sure that the 99 percent of Edward Snowden’s files which have NOT been made public so far will serve as the best proof how ridiculous it is for the U.S. to charge other nations with cyber espionage in each and every domain.

This indictment may be an unprecedented and audacious step in confronting one of the emerging pressing issues of these digital times. I believe, however, that it is unfortunately a problematic one. Robert Daly and Chen Weihua have, in their contributions, already pointed at its effect on Sino-U.S. relations in cybergovernance and related fields. Today’s New York Times analysis discusses the difficulty of separating the economic and security dimensions of cyberespionage and hacking. It also quotes Kevin Mandia, whose February 2013 report brought China’s cybercapacity to the top of the agenda, as saying that “this is a logical escalation of the pressure.”

Except, it is not. A logical escalation of pressure would have been a civil intellectual property or trade secrets suit against those Chinese companies that use allegedly stolen information. This could take place in a third locality, such as Hong Kong or Singapore. A civil conviction might have even more profound consequences: it would impact Chinese SOEs’ ability to operate lawfully in overseas markets, apply for stock exchange listings, and even settle payments in Dollars. Their foreign assets might be liable to seizure, and key staff might be limited in their travel options. In short, a civil conviction would hit where it hurt, unlike this criminal procedure. Furthermore, a civil suit, initiated by a victim of hacking, would have the benefit of keeping some clear water between government and commerce. It would have enabled the U.S. Government to maintain the dialogue in the cyber working group and other forums, while leveraging a private initiatives to obtain agreements on more workable rules and practices. This would have given greater credibility to the security-commerce juxtaposition in U.S. discourse and provided a better defence against the inevitable accusations of hypocrisy that have rapidly arisen.

To be sure, a civil suit would have had its own difficulties. Evidentiary proceedings would be a nightmare, while individual companies would suffer from first-mover disadvantage, jeopardizing its access to Chinese markets, materials and opportunities in a process equally or more beneficial to other companies. In that sense, a government-initiated suit at least provides an easier way out. But this simplicity comes at the price of soured governmental relationships and fall-out in other policy areas, such as currency or the environment, against no apparent benefit.

In this area, we are faced with diametrically opposite political positions and interests. In China, SOEs are important sources of political and economic power as well as social stability, while the PLA virtually escapes civil oversight. The U.S. seems to believe it needs global surveillance in order to keep its homeland secure and defend its interests worldwide. Between them, technology has vastly decreased the amount of efforts and resources necessary for capturing and extracting information. Consequently, any move forward requires mutual restraint based on well-understood self-interest, as well as arduous negotiations and compromise-building. As companies grow increasingly larger and internationally powerful the proper relationship between commerce and security must be discussed at a multilateral level. True, China has never convincingly refuted the Mandiant report, nor did it reciprocate recent U.S. openings for transparency in cyber warfare. But Snowden rather eroded the U.S. moral position. What we need is adept diplomacy, what we got is a blunt instrument.

The recent US grand jury indictment of five members of the Chinese People’s Liberation Army can be viewed as either a novel escalation in the cybersecurity contest between the two nations or a logical extension of longstanding efforts to prosecute industrial espionage. At the end of the Cold War, a spate of economically-motivated espionage incidents by US allies including France, Germany, Japan, South Korea, and Israel prompted Congress to pass the 1996 Economic Espionage Act. Of the nine foreign espionage cases prosecuted under the EEA, eight had some connection to China, and all but one of these alleged that the defendant acted to benefit a Chinese government entity. Three have had connections to China’s National High Technology Research and Development Plan, better known as the 863 Program, which provides guidance for both licit and illicit technology transfer. Through 2012, moreover, 115 cases were prosecuted under the more general trade secrets provision of the EEA, and these also, increasingly, feature a Chinese connection.

In this context, industrial espionage is industrial espionage, whether conducted by human spies or cyber intrusion. China has long been interested in stealing trade secrets to support an industrial policy of “indigenous innovation,” and the US has long been willing to make solid evidentiary cases when Chinese spies get caught. This episode is no different. China’s standard denials of responsibility for cyber attacks provide no alibi for the persuasive attribution case made in the US indictment, and the indictment sets a high evidentiary bar for Chinese counteraccusations of American espionage.

Nevertheless, it does broach new ground by fingering Chinese military personnel actively serving in China. Retaliation by China, perhaps even outing US intelligence personnel serving at the NSA, is probably inevitable, although accusations are sure to be more rhetorical than evidence-based. Notably, the US indictment focuses only on economic espionage against private US firms, even though, according to reporting from cybersecurity firm Mandiant in early 2013, the same PLA unit in Shanghai has also been actively collecting Western national security data. The selective focus on economic targets in the legal case should be understood as an attempt by the US to reinforce a normative distinction between spying for security and spying for profit. Presidential Policy Directive 28, issued by the Obama Administration following the Snowden leaks, expressly forbids “the collection of foreign private commercial information or trade secrets…to afford a competitive advantage to U.S. companies and U.S. business sectors commercially.” China has thus far refused to recognize this distinction.

This incident is neither the first nor the last word in the emerging international argument over norms for cybersecurity. Contestation in this area is sure to be a fixture of Sino-American relations for years to come, even as hacking comes to be seen as an increasingly normal variety of friction in world politics.

Those above have made most elements of the convincing case for why the new U.S. indictment may be counterproductive, both for the narrow goal of fighting commercial espionage and for the broader goal of maintaining a stable U.S.–China relationship. I agree with almost everything that has been said, and especially share concerns that this type of move might jeopardize important elements of bilateral ties while getting little in return. But it is worth considering the conditions under which this move might not be entirely counterproductive.

The costs on the cybersecurity side may be small, if only because little progress was likely being made. Viewed as part of a multi-year campaign to combat Internet-enabled commercial espionage, the new charges reflect a significant public escalation that was sure to provoke a response. It is reasonable to assume, therefore, that the bilateral Cyber Working Group, which China has suspended in response to the U.S. charges, was not making satisfactory progress from the perspective of the White House. It’s easy to understand why. Both governments have trouble—even internally—coming to consensus about terminology and principles for cyberspace. A working group meeting every few months would have great trouble making real progress in recognizing norms or “rules of the road,” especially when the two countries have such different interests. The unfortunate fact is that global cybersecurity politics is in its infancy, and the U.S.–China dialogue on the issue is no different. It’s no great harm if nonproductive efforts get suspended.

But policy has to do better than minimizing harm, and convictions or reductions in commercial espionage (which the Chinese government flatly denies engaging in) are unlikely. So where’s the benefit?

Former Bush administration Justice Department official Jack Goldsmith suggests a plausible motivation, though a slightly cynical one: "to demonstrate credibly to several audiences, at home and abroad, that [the government] is fed up with current levels of corporate cybertheft.” The U.S. business community wants action, and this looks like action. From the Obama administration’s perspective, faced with a persistent trickle of reports stemming from Edward Snowden’s cache of leaked documents, this is also an opportunity to display continued determination to pursue a cybersecurity agenda in areas it views as out of bounds—even when much of the world sees many U.S. activities as out of bounds. Viewed this way, the indictments speak to domestic and international audiences both on cyber theft and on broader cybersecurity issues, and they may project strength. (Stories that question the U.S. government’s principles, however, may undermine any perceived strength.)

Strategically, there may be a benefit in having made these charges and hinted that there may be more coming. The Chinese government reaction so far has been measured, if vocal. Assuming it remains measured, the U.S. government now has room to escalate with further public charges or to hold position and allow this story to slowly die. The Chinese government is forced to consider that more costly measures may be on the U.S. menu, and may eventually take the problem more seriously. (Cybersecurity discussions need not happen in the formal Cyber Working Group.)

In sum, there are at least a few potential upsides for the United States, though the downside risks described by others are likely greater. For U.S. companies concerned about commercial espionage through computer systems, the answer is not to depend on the government to pressure other governments to stop spying or to pressure citizens to stop stealing. Even if the alleged PLA cyber theft program stopped yesterday, there would be other skilled individuals and teams ready to target valuable information. The answer is to make smarter decisions about data storage and network security.

The indictment of Chinese military officers for cyber-espionage should be seen in the broader context of a more pro-active U.S. effort to push back against China’s more confident and assertive flexing of its military and cyber capabilities. While the indictment is a token gesture, much like when the U.S. sent strategic bombers into China’s newly announced air defense identification zone in the East China Sea last November, this development is intended to signal to the Chinese authorities that the U.S. is willing to take concrete counter-measures even if that negatively affects bilateral relations in the near-term. The goal is to get the two sides to seriously engage in trying to find ways to mitigate their cyber-espionage competition towards each and prevent it from continuing its negative spiral.

By publicly targeting Chinese military personnel with this indictment, the U.S. may also be looking to influence the civil-military dynamic in China at a crucial juncture in the making of its national cybersecurity strategy. In February, Xi Jinping took charge of cyber affairs when he became the head of a newly established state leading group on Internet Security. One of the first jobs of this new coordinating committee is to draft a comprehensive national cybersecurity strategy, which presumably will help shape the long-term approach that China will take in its efforts to become a major ‘cyber power,’ which Xi has declared is a key goal. While the PLA undoubtedly has a powerful voice in the crafting of cybersecurity policy, the question is how much authority and oversight the civilian authorities have in this domain. That Xi became the head of this Internet Security leading group and has a couple of other civilian leaders as his deputies appears to show that the civilian authorities want to be in charge of the country’s cybersecurity system. With the indictment, the U.S. could be signaling to the Chinese authorities that they need to get the military under firmer civilian control in the cyber domain, otherwise it could undermine U.S.-China relations.