Chinese IP sanctions and the cybersecurity dilemma

In a recent blog, I noted that space limitations precluded adequate commentary on a recent Lawfare essay by Jack Goldsmith and Robert Williams, which argued that the “name and shame” policy pursued by both the Obama and Trump administrations had failed to deter Chinese economic espionage and the pilfering of vast amounts of confidential data. What follows is a more extended set of comments.

via Twenty20

In making their case for “failure,” Goldsmith and Williams recount the circumstances and details of a number of indictments since 2014, including the recent flurry of activity by the Department of Justice over the past several months. They point out that state-sponsored hacking seemed to decrease in the months after President Xi Jinping promised President Obama that in the future the Chinese government would not pass along intellectual property (IP) and trade secrets gleaned from espionage to Chinese companies. This turned out to be a false dawn, as Chinese economic espionage escalated throughout 2017 and in 2018. It became more sophisticated and targeted at dual-use defense sectors and technologies identified as central to China’s future as laid out in the “Made in China 2025” strategic planning document.

This leads the two scholars to state, as noted in the earlier blog, that “it is hard not to conclude that the Justice Department’s deterrence-by-indictment efforts have failed. And the scale of the failure is large . . . [given the] relentless theft of US assets.” With Beijing’s flouting of the 2015 agreement with the US (and G20 nations), the US has also failed to establish an international norm regarding economic espionage. Further, another goal to demonstrate the United States’ overwhelming cyber capabilities in reality has a downside. They warn: “Showing off the fruits of US surveillance capacities in this way must — at least at the margins, if not more deeply — compromise those capacities.”

In understanding the central elements of the Goldsmith/Williams analysis and conclusions, it is important to be aware that both scholars have written extensively and deeply on the larger issues surrounding the US-China cybersecurity dilemma. As Williams and Ben Buchanan wrote in another piece, the cybersecurity dilemma “is the notion that as one nation takes steps to defend itself in cyberspace, it inadvertently threatens other nations with what appears to be offensive action.” Both have expressed strong skepticism that China can live up to any promises regarding economic espionage, given the central imperatives of the Chinese authoritarian system.

As Goldsmith and Williams posit in the essay: “It is an open question [as to] how much of China’s resistance to preferred US norms is baked into the Chinese system and how much can be dialed back without sacrificing Chinese leaders’ perception of their core interests.” Further, they are acutely aware that economic espionage and national security issues are inextricably intertwined. In defending the Defense Department’s new “defense forward” strategy, the Williams/Buchanan piece stated: “Make no mistake, the Defense Department chose to pursue a more aggressive course because of the failure of previous efforts at establishing a status quo it finds acceptable. The 2015 agreement between the United States and China on commercial cybertheft seems to have failed to appreciably slow [China’s] widespread hacking.”

Goldsmith and Williams acknowledge that the US could (as I proposed in my blog) institute “meaningful economic sanctions” against Chinese firms that have benefited from commercial espionage. But they draw back from this option, arguing that “deploying the sanctions would risk inviting retaliation against US multinational firms that are vitally dependent on access to China’s markets. This is particularly salient in the Chinese context, as Beijing historically has not been shy about geopolitically motivated economic retaliation.”

This strong warning seems particularly to reflect Goldsmith’s deep pessimism that the US could come out the victor in any tit-for-tat cyber conflict with its adversaries. Thus, the essay concludes:

The bottom line is that the United States continues to be asymmetrically vulnerable to cybersecurity threats against private-sector companies on which US economic and national security depend. [Further], US commitments to free speech, privacy and limitations on domestic government surveillance make it difficult for the US government to identify, prevent and respond to malicious cyber operations. These “domestic issues add to the geopolitical complexities that have paralyzed the US government from responding more vigorously, leaving the country with a series of high-profile criminal indictments that have achieved no discernibly positive effects and that might, on balance, be self-defeating.

The bottom line also is that the implications of their analysis and conclusions leaves the US with no meaningful response to Chinese economic espionage. While conceding the dangers of escalation, I do think there is still a plausible, even compelling case to be made for a limited, targeted sanctions response to accompany current and future indictments. As I noted in my original blog, in the most recent indictment of the two Chinese Ministry of State Security officials, the charges were specific and backed by persuasive intelligence. Though we do not know all of the details, numerous press reports state that the administration had evidence that certain Chinese companies had directly benefited from the theft of IP and trade secrets. In such instances — abstracting from the larger geopolitical issues between the two countries — a cabined, precise set of sanctions constitutes a viable option.

Certainly, there is always a risk that Beijing will react with disproportionate retaliation against US companies with no evidence or (trumped up) allegations of illegal practices. But with a solid factual underpinning the US would have a strong case to present to the digital world that the Chinese government and its corporate coconspirators were clearly culpable. The cybersecurity dilemma need not always dictate paralysis.