Sign up for tech policy updates
The latest on technology policy from AEI, published daily.
Renewed Chinese cyberespionage: Time for the US to act
Chinese cyberespionage is on the rise again, despite a 2015 US-China agreement to curtail commercial cybertheft. These potential acts of defiance come as the US and Beijing are moving toward confrontation across a wide number of economic and strategic fronts. Reports from two leading US cybersecurity firms, FireEye and CrowdStrike, have identified a “surge in espionage targeting cloud services, telecommunications companies, and law firms.” And several months ago, Chinese hackers took over a popular security tool to introduce malware into some 18 specific high-tech companies.
Meanwhile, last week at the annual Boao Forum (China’s Davos), Chinese President Xi Jinping promised to increase intellectual property (IP) enforcement, prompting President Donald Trump to praise Xi for his “enlightenment” on IP. The president clearly should check more carefully with his intelligence agencies before handing out such plaudits.
Let’s review the history and continuing issues relating to cyberespionage. While official documentation is scarce, a deluge of anecdotal evidence has pointed to China’s multifaceted effort to steal knowledge from patents and copyrights across the globe — particularly from leading American high-tech multinationals. Estimated losses run to more than $300 billion per annum. In September 2015, after directly threatening retaliation against Chinese companies, President Barack Obama convinced Xi to agree to a pact (not legally binding) between the two countries that stipulated that neither government would “knowingly” allow the theft of IP for commercial purposes.
Although there was some disagreement at the outset as to whether the Obama-Xi agreement produced a decline in Chinese cyberattacks, as time went on, it did seem that while such actions never ceased entirely, they were much less frequent. The Obama administration, led by Assistant Attorney General John Carlin, insistently proclaimed that Obama’s action had introduced new international norms and caused “China to change its behavior.” In retrospect, and given recent Chinese actions, the story is more complicated.
The decline in the number of Chinese-related cyberattacks also stemmed in part from changes within China itself. Briefly, even before the 2015 pact, Beijing had moved to reform and more closely supervise Chinese cyberespionage activities. China steered away from so-called vacuum cleaner espionage that scooped up reams of information with little regard to sophisticated secrecy. As part of President Xi’s anti-corruption campaign — and sweeping moves to centralize decision-making — freelance ventures between People’s Liberation Army officers and outside groups were sharply curtailed. The new goals focused on more national security–directed espionage, although the lines between national and economic security remained somewhat blurred by dual-use technology. But as Michael Chertoff, former head of the Department of Homeland Security, stated: “It doesn’t strike me as unlikely that the word went back, ‘Guys, cool the hot-rodding. If there’s something worth stealing, do it, but do it in a way that’s not so obvious.’”
Recent examples of cyberespionage made public by private security firms illustrate this pattern. Chinese-related hackers have sought information about radar capabilities and movement detection devices from private defense contractors in support of Chinese reactions to US movements in the South China Sea and more general hacking of academic and private-sector engineering labs. Testing the limits of the 2015 agreement, Chinese-controlled hackers have also sought to steal information from US financial firms to gain inside information related to future Chinese corporate acquisitions in the US and Europe.
All of this forms the backdrop to upcoming trade negotiations between the Trump administration and Beijing’s leaders. The president has come back to IP theft repeatedly (and correctly). Regarding continued Chinese cybertheft, the US should adopt the following strategy:
- Within the limits of intelligence disclosure (and the US intelligence agencies should be leaned on to reveal more than they normally wish), the US negotiating team should provide evidence (with specific examples) that the US has the capability to track and attribute IP theft to Chinese-controlled groups; and
- The US should warn Beijing that in the future, if Chinese IP theft is identified in advanced R&D and production related to high-tech products or processes, the US will ban Chinese companies that have benefitted from this theft from operating in the US market — even if there is no direct “smoking gun” leading directly back to the individual companies.
Beyond this, it would also be wise for the two countries to establish a single official or office that can act as a liaison when IP theft is alleged in either country.