China exposed on steel technology cyber theft: Why no indictments?

In what seems to be a clear case of Chinese trade secret theft, the Obama administration has left it to US Steel, a private corporation, to carry the complex burden of identifying culprits and proving direct ties to the Beijing government. The absence of the Justice Department and the FBI in this case stands in sharp contrast to the highly publicized 2014 indictment of five Chinese military hackers, where Assistant Attorney General John Carlin, in high moral dudgeon, stated that: “This is not conduct that responsible nations within the global community should tolerate.”

Subsequently, under threat of damaging US retaliatory action, Chinese President Xi Jinping agreed in September 2015 to a pact with President Obama that stated that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets . . . with the intent of providing competitive advantages to companies or commercial sectors.” President Obama warned at the time that the US would be “watching carefully” for violations.

In the nine months since the Obama-Xi agreement, cybersecurity experts have been divided on whether Chinese economic espionage had ceased or slowed down. The cybersecurity firm CrowdStrike reported continuing attacks against at least seven US high-tech and pharmaceutical companies. However, the Washington Post’s Ellen Nakashima, with sources in the Obama administration, claimed that the 2014 indictments of Chinese officers had a strong impact on the Chinese government. Assistant Attorney General Carlin has zealously hawked the administration line that its actions have “change[d] our adversaries’ cost-benefit analysis” and have had a “lasting impact.”

Yet the administration’s own top security bureaucrats remain skeptical. A senior official in the office of the Director of National Intelligence threw cold water on China’s good faith on economic espionage, noting that he had seen “no indication . . . that anything had changed.”  And in March, NSA Director Michael Rogers told Congress that “cyber operations from China are still targeting and exploiting US government, defense industry, academic and private computer networks.” But Rogers also acknowledged the difficult question of “whether that activity is shared with the business world.”

This brings us to the puzzling US Steel case and the facts as we know them. In an April 26 complaint filed with the US International Trade Commission (USITC), the company, among other unfair trade allegations, accuses a number of Chinese steel companies of benefiting from technology stolen from US Steel by hackers directed and controlled by the Chinese government. (In a concise, exemplary analysis, John Miller of the Wall Street Journal has explained the underlying technical background.)

Briefly, as result of pressure from regulators in the US, Europe, and Asia, auto parts and component suppliers have entered into a “lightweighting” race to shed pounds and streamline engines. Steelmakers, in turn, are competing to produce high-strength steel through shifts in the underlying chemistry and new heating and cooling processes. US Steel (which lost $1.5 billion last year), invested millions of dollars to create the new high-tech steel products, particularly a high-performing metal known as Dual Phase 980.

Chinese state-owned steel producers such as Baosteel Group and the Hebei Group had concentrated on lower-grade steel products and thus were unable to respond to the new demand for upscale high-strength steel. According to the US Steel USITC complaint, to get out of this competitive hole, in January 2011 a group of Chinese hackers broke into the computer of a US Steel researcher and exfiltrated several gigabytes of data on advanced steel processes and products, including the Dual Phase 980. US Steel further states that the company’s own “forensic analysis” has conclusively demonstrated that the culprits were Chinese and that the methods used were similar to those employed by the 2014 Chinese hackers indicted by the US government. “Independent sources” have linked the Internet address to a particular Chinese hacker group, designated APT6. Finally, US Steel adds that “it expects discovery to reveal that the Chinese government disseminated US Steel’s trade secrets” to the state-owned Chinese steel companies.

As further proof of the allegations, the US Steel complaint points out that while it took US companies an entire decade to develop the new high-tech steel products, Baosteel began shipping a version of the Dual Phase 980 within two years of the 2011 hacking. To no one’s surprise, Baosteel has labeled the charges “complete nonsense.”

Admittedly, there are still important undisclosed factual details concerning the US Steel petition (US Steel and its lawyers declined to comment beyond the public document). For instance, it is unlikely that US Steel had in-house cybersecurity capability, and thus probably contracted with a leading cybersecurity firm. Further, the citation of “independent sources” for the actual identity of the Chinese hacking group hints at additional help. And the key direct line between the hacking group, the Chinese government, and the state-owned steel companies has been left to “discovery.”

Still, the case presents fascinating questions in light of recent US-China sparring over IP theft and the Obama administration’s bold assertions. First and foremost, why has the US government not taken the lead in this case? Two years ago, the present author was critical of the indictment of the Chinese PLA officers, arguing that the actual IP theft involved was fairly trivial. Assuming that US Steel’s allegations regarding the trade secret theft are validated, this would seem an ideal case to “name and shame” — and severely penalize — the unholy nexus between Chinese government-directed hackers and Chinese companies. The high-tech steel processes and products exfiltrated represent cutting-edge technology that is central to maintaining global competitiveness in a vital industry. In cyber trade secret cases, not only is it difficult to determine conclusive attribution, but it is also difficult to trace the theft to the subsequent appearance of the purloined technology. Yet here — if the alleged facts prove out — the United States could present the world with solid forensic evidence of the unfolding crime.

In a January 60 Minutes segment, Assistant Attorney General Carlin sounded an urgent alarm over the “threat to our national security” from Chinese IP theft. And he added: “It’s not a fair fight. A private company can’t compete against the resources of the second largest economy in the world.” True enough — but then why hasn’t the Justice Department gone all in to defend US Steel’s strategic technology?