New China intellectual property indictments: A step forward and a cop-out

Just before Christmas, the Trump administration scored an important advance in leading a collective multination condemnation of voracious Chinese hacking and theft of intellectual property and trade secrets. But it blinked and blundered in not following the accompanying indictments with sanctions against Chinese entities that benefited from the data pilfering. The supine response also undercuts the administration’s public vow to take a harder line against malicious hacking, as evidenced in the Defense Department’s new “defense forward” cyber strategy.

On December 20, the US Department of Justice (DOJ) disclosed that it had handed down sweeping charges against two Chinese officials associated with the Chinese Ministry of State Security (MSS). Briefly, as the details have been widely publicized, the accusations include stealing “hundreds of gigabytes” of confidential information, intellectual property, and trade secrets. Although only two Chinese officials were named in the indictment, the documents show that they were part of a larger MSS-directed hacking group known as APT10.

It is clear from the indictment that US intelligence agencies have been tracking the activities of the group (in various guises and names) since 2006. But only in the past few years have US officials been able to link them directly to Chinese state. The breadth of the data pilfering is truly impressive and swept in a large number of sectors, including energy, natural resources, aerospace, automotive electronics, telecommunications, financial services, pharmaceuticals, and defense companies and contractors. APT10 also penetrated at least a dozen foreign public and private institutions, as well as US government agencies, constantly shifting its tactics and IP addresses in attempts to elude detection by intelligence agencies. Beginning in 2010, APT10 began targeting technology service providers (such as cloud computing and network support firms), and by penetrating these support companies it gained access to their clients around the world. (Although the indictment did not identify the service companies, The Wall Street Journal reported that they included IBM and Hewlett Packard Enterprise.)

The Trump administration’s actions, in conjunction with other recent moves, represent significant positive responses to Beijing’s relentless cyberespionage. First, the depth and breadth of the intelligence operations (spanning over a decade and including exposure of Chinese spying actions by multiple cyber actors who attacked numerous sectors) sends a clear signal to top Chinese officials that the US has the capability to track and specifically attribute espionage to its source. FBI Director Christopher Wray underscored the US capability to penetrate the maze of Chinese public-private cyber synergy. He noted that the Chinese hackers weren’t “just Chinese officials with epaulets on their uniforms. These are state-owned enterprises, ostensibly private companies, hackers of all shapes and sizes, researchers, businessmen,” working “on behalf of the Chinese government.”

Second, for once the Trump administration acted in unison with key allies. It was afforded this opportunity by the fact that it used US prowess to uncover widespread hacking operations against a number of countries — Germany, Japan, Sweden, Switzerland, Australia, New Zealand, and Britain, among others. Led by the British Foreign Office, the other nations of the “Five Eyes” collective intelligence alliance — New Zealand, Australia, and Canada — all issued common statements condemning Chinese hacking as a violation of its 2015 pledge to the US (later expanded to G20 nations) not to conduct economic espionage. They were joined by separate statements from Denmark, Sweden, and Finland. As Adam Segal of the Council on Foreign Relations (CFR) noted, “The synchronized statements show that the Trump administration has tapped into deep international frustration with China’s behavior in cyberspace.” Of equal importance, the joint statements demonstrate that — at least in this important instance — other nations consider US intelligence agencies’ conclusions credible and trustworthy (which has not always been the case in the past).

It is thus astonishing and deeply unfortunate that the Trump administration did not follow through with sanctions to accompany the indictments. According to a number of press accounts, the administration had gathered evidence regarding at least some of the beneficiaries of the IP trade secrets theft. At the last moment, Treasury Secretary Steven Mnuchin vetoed the sanctions, arguing that they might negatively affect trade talks with Beijing. Here is why this cop-out was a mistake.

First, indictments and sanctions against Chinese IP depredation can and should be kept separate from the outcome of the trade negotiations. (Thus, it was also a grave error for President Trump to hint that he might shortcut the judicial process in relation to the indictment of Huawei executive, Meng Wanzhou.) In the latest indictments, US intelligence agencies and the DOJ have done their homework: The details are both sweeping and precise (and, as noted above, have convinced often skeptical trading partners). Such judicial — and sanction — decisions are not dependent on larger policy issues relating to the global contest between the US and China or a policy of “decoupling.”

Second, while “naming and shaming” with indictments of Chinese officials who will never be brought to justice was a necessary first step, it has clearly failed to deter Chinese officials’ determination, at least in part, to steal their way to technological dominance. The US has been charging Chinese miscreants since 2014, and in the current flurry of activity, it has rendered eight indictments since July. According to the DOJ — despite adamant denials by Beijing — China has been linked to 90 percent of economic espionage episodes over the past seven years (including more than three years after the 2015 pledge).

Finally, the debate over sanctions should not be viewed narrowly as between the hawks and so-called moderates in the Trump administration. Outside trade and security analysts (including strong Trump trade critics such as the author) who do not fit the “trade hawk” definition have called for stronger action. For instance, Chris Painter, a former Obama administration State Department cybersecurity diplomat, has called for the US (and other Western nations) to sanction Chinese firms that have benefited from economic espionage. CFR’s Segal has also endorsed such an approach.

Similarly, in a recent Lawfare essay, Jack Goldsmith and Robert Williams have pointed to the “failure” of the US “Chinese-hacking indictment strategy.” They argue further that the indictments have another “underappreciated adverse impact. When the main public response to cybertheft that has reached crisis proportions is to identify the perpetrators but not punish them, the main signal to adversaries . . . is that the United States is extraordinarily defenseless.”

The bottom line is that in the future the Trump administration and succeeding US administrations should not shy away from sanctions on Chinese companies when they have substantial evidence to support attribution — and retribution.

(Postscript: Within the space of this blog it was not possible to do justice to the extended and nuanced analysis and conclusions of the Goldsmith and Williams essay. A future blog will hopefully rectify this.)