China’s new ‘legal’ cyber espionage: Time to respond

Even if belatedly, the Trump administration is stepping up counterattacks on widespread (and possibly increasing) Chinese government-backed theft of US firms’ intellectual property and trade secrets. Last week, the US Department of Justice indicted an official of China’s Ministry of State Security on charges of economic espionage and attempting to steal trade secrets from American aviation and aerospace companies. The indictment followed an extraordinary extradition from Belgium in which the Chinese operative had been lured by US agents.

These charges also follow a similar indictment last month of a Chinese citizen in Chicago for working with Chinese intelligence agencies to recruit scientists and engineers from US defense contractors. Hopefully, as I’ve called for in earlier blogs, these actions will be supplemented by a series of “show trials” exposing Beijing’s duplicity after having promised to eliminate Chinese government-backed economic espionage against US companies (more on this in a later blog).

China’s Minister of the Cyberspace Administration Xu Lin speaks at the opening ceremony of the fourth World Internet Conference in Wuzhen, China, December 3, 2017 – via REUTERS

The issue for this blog is Beijing’s potentially “legal” espionage, under the aegis of the rules recently promulgated pursuant to China’s National Cybersecurity Law. Typical of Chinese legislation, the law was full of sweeping declarations but vague on the administrative details. The administrative rules have now been published and will go into effect on November 1. They confirm some of the worst fears of foreign corporations doing business in China.

The Chinese law’s sweeping definition of national and cybersecurity includes many sectors not normally associated with national defense, including areas such as banking, construction, transportation, telecommunications, and other services. Under the mandated security reviews, government officials can physically inspect and remotely access private networks ostensibly in search of material that “may endanger national security, public safety and social order.” The law defines a network as “any system comprised of computers and related equipment that gathers, stores, transmits, exchanges, or processes information.” Further, under the new regulations, operators of critical infrastructure platforms must store their data locally, and they must provide undefined “technical support” to security agencies and officials as they undertake missions to fulfill China’s cybersecurity imperatives.

The Cyberspace Administration, which administers the law, has the authority to demand that operators of critical infrastructure provide access to source code and other technical materials as proof that their equipment is secure. Foreign operators also must receive specific permission before moving key business and personal data out of the country. These obligations apply not just to internet operators but also to companies that use data as a vital part of their international operations. Companies are held individually responsible for policing their data and equipment, with future violations punishable by heavy fines. There is a direct tie-in to China’s Great Firewall, as companies are responsible for keeping prohibited information off the internet.

While the Trump administration seems to be taking a harder line on undercover Chinese economic espionage, thus far its response to the damage and dangers inherent in the new cybersecurity law have been weak and fitful — despite ample warning from US corporations that do business and are dependent on networks that operate in and out of the Chinese mainland. Late in 2017, the administration merely expressed “concern” about the new law and later raised the issue briefly in World Trade Organization (WTO) talks, though US trade officials admitted that the issues raised were likely outside of WTO purview.

It is time for this lackadaisical response to change. Beijing’s potential demands on foreign network equipment in China represents an Achilles’ heel of high vulnerability for US internet-related security. Whether the recent, much-disputed Bloomberg “bombshell” chronicling supposed Chinese penetration of vital US supply chains is accurate or not, the episode warns that Chinese intelligence is working night and day to accomplish just this goal.

On a broad front, the US and Beijing are moving toward deeper economic and security conflict. Despite the saber rattling, it looks as if the two countries will resume more formal negotiations, possibly after this November’s G20 summit. In both economic and security talks, US negotiators should make the new cybersecurity law and regulations a top priority. The US should make clear to Beijing that it will not allow US firms to give up source code and other security-vulnerable trade secrets to security reviews.

In advance of US-Beijing talks, the Trump administration should also convene an in-depth discussion with US high-tech companies operating on the Chinese mainland. It should make a commitment that the US government will back resistance on its part to demands that would ultimately expose their equipment and processes to Chinese economic and security sabotage. Gray areas should also be explored. For instance, Apple has agreed to store all its Chinese iCloud users’ data at a data center in China, under the supervision of a Chinese joint venture partner. Beyond that it has also transferred cryptographic keys for unlocking these accounts to comply with Beijing’s regulations.

The bottom line is that the Trump administration is still far behind in crafting a credible and actionable response to this latest assertion of “cyberspace sovereignty” from Beijing. Recent indictments are a good sign, but it could all be for naught if US companies are forced to cough up the “crown jewels” in response to Beijing’s duplicitous concerns about cyber privacy and security.