3 November 2015

Why the U.S.-China Cyber Spying Ban Will Inevitably Fail

November 1, 2015

On a cool fall day in late September, President Obama and Chinese President Xi Jinping stood together in the White House Rose Garden and pledged “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP), including trade secrets, or other confidential business information, with the intent of providing competitive advantage to companies or commercial sectors.” Obama added that the U.S. government would be watching closely to ensure that “words are followed by action.” In a seemingly strong sign of goodwill, the Chinese government had prior to the announcement already quietly arrested a number of hackers, identified as having stolen commercial secrets from American corporations.

While the Obama-Xi meetings did lead to some notable successes, such as the Chinese purchase of 300 Boeing airplanes, the agreement on cyberespionage is not one of them. Barely a day had passed since the announcement when CrowdStrike, a cybersecurity service provider, accused “Chinese government-affiliated actors,” of attempting to hack into their client’s networks. In a blog post, CrowdStrike noted that the intrusions were against technology and pharmaceutical sectors, which implied they were conducted with the goal of stealing IP and trade secrets.


The media immediately seized on this announcement with much excitement, but it should not have come as a surprise. There are five main reasons why the agreement was never really more than words:

1. Chinese unrestricted warfare includes peacetime economic warfare.

In 1999, People’s Liberation Army (PLA) colonels Qiao Ling and Wang Xiangsui published a text, entitled Unrestricted Warfare, which argued that modern warfare transcends the “matériel” of the military domain and includes information, economic and psychological operations. Moreover, unrestricted warfare was not simply a strategy to be operationalized at the onset of active hostilities; it could also be used in peacetime as a subcomponent of a strategy for long-term competition with the United States and other Western countries.

It is perhaps within this framework that the People’s Republic of China’s (PRC) use of economic cyberespionage can best be understood. The theft of IP and trade secrets is a form of economic warfare—it levels the economic and technological playing field, progressively diluting the core strengths of a competitor or potential adversary for strategic ends. Industrial espionage does not necessarily need to be aimed against classified systems to yield national security benefits. Many unclassified systems may contain information on technology and innovation that is currently under export control or, in the case of intrusions of software vendors, provide potential insight into latent vulnerabilities that can be leveraged for future purposes.

Past cyber-industrial espionage campaigns such as Titan Rain and Operation Aurora, both of which have been largely attributed to China, fit within this framework. In both cases, the targeted systems were unclassified, but the amount of data exfiltrated over a prolonged period of time—allegedly twenty-four months in the case of Titan Rain and about six in the case of Operation Aurora—undoubtedly provided some economic and intelligence benefit. Former FBI Assistant Director for Counterintelligence Dave Szady has dubbed this the “thousand grain approach”: the notion that most intelligence requirements can be met through the mass accumulation of open source data.

Given the centrality of such thinking in Chinese strategic thought, it is highly unlikely that industrial espionage could ever cease to exist after an agreement.

2. The Chinese R&D strategy supports acquiring foreign technology via espionage.

The impetus for Chinese industrial espionage is also captured in Beijing’s research and development (R&D) strategy. China’s “National Medium and Long-Term Plan for Science and Technology Development (2006-2020),”known in the West as the MLP, describes itself as being the “grand blueprint for science and technology development” required to realize the “great renaissance of the Chinese nation.” While the MLP does promote a policy of indigenous innovation, it also advocates “enhancing original innovation through co-innovation and re-innovation based on the assimilation of technologies.” Accordingly, many international technology companies consider the MLP an official green light for industrial espionage.

Furthermore, the U.S. Counterintelligence Executive has detailed how aspects of China’s science and technology modernization strategy, known as the “863 Program,” explicitly provides funding and guidance on how to clandestinely acquire U.S. technology and other sensitive information for the purpose of the PLA, in addition to funding indigenous R&D efforts. Of the nine foreign espionage cases that have been prosecuted in the States between 1996 and 2011, three were linked to the 863 Program.

3. Cyber is fragmented across the PRC; an agreement may not have consensus.

As John Lindsey so aptly notes, “there is no single Chinese view oncybersecurity and cyberwarfare, just as there is no one Western view.” While China does have a one-party system, Chinese policy on cybersecurity is in reality highly fragmented, both functionally and regionally. The Party, State Council, PLA and provincial governments thus all have differing roles and responsibilities. When combined, the multiplicity of actors, lack of transparency and absence of effective policy coordination in the Chinese system create a “Wild East” approach to cybersecurity policy. It is therefore possible that even though ranking members of the Communist party may be in favor of an anti–corporate espionage agreement, other government entities are not.

4. On the other hand, Chinese e-crime capabilities are well-developed. If the PRC wants to truly stop large-scale corporate theft, it conceivably could.

There has been a general trend in China whereby former “black hat” hackers are integrated into the “white hat” PRC mainstream. For instance, Peng Yinan, who is the alleged cofounder of the Chinese hacking group Javaphile, is now believed to be conducting research on behalf of the government. In 2008, Yinan published two academic articles on cyberespionage techniques, under Shanghai Jiaotong University’s Information Security Engineering Institute’s affiliation. The Institute has been a recruiting pool for both the PRC’s Foreign Intelligence and for the PLA.

In 2009, following a series of high-profile foreign government web defacements, the Chinese government expanded their anti-hacking laws. Prior to 2009, the anti-hacking laws only prohibited intrusions into PRC government computer systems; however, post-2009 the legislation also included “patriot” hackers. The 2009 anti-hacking developments were accompanied by a string of high-profile arrests. Since the laws’ expansion, a large number of hacker communities have been forcibly integrated into legitimate “white hat” entities, such as computer security companies, consulting firms and academia. These entities, in turn, forged closer ties with Beijing and the military. Given that hackers are structurally incorporated into the government apparatus, it is very likely that some corporate cyberespionage attacks are implicitly endorsed by the PRC.

Furthermore, while cybersecurity may be bureaucratically fragmented across the system, this does not mean that Beijing lacks credible e-crime enforcement capabilities. As demonstrated by the 2009 arrests, the PRC has the capability to clamp down on hackers when it deems doing so to be in its interest. For instance, this past summer the PRC launched a six-month campaign called “Operation Clean Internet,” which sought to arrest people for alleged cybercrimes, ranging from hacking to spam text messages and online scams. According to the Ministry of Public Security, by September 15,000 people had been arrested.

5. China’s actions speak louder than its professed acquiescence to global norms.

Chinese actions (and strategic beliefs, more broadly) exhibit certain contradictions. As scholar Andrew Scobell has noted, most Chinese elites believe that China follows a uniquely peaceful tradition and has never initiated conflict. Yet, the southward expansion of the Han dynasty, the Sino-Vietnamese War of 1979 and the more recent violent subjugation of Tibetans and dissidents in its border regions would clearly suggest otherwise.

It is through this worldview that Chinese discourse with regard to global norms can be understood. The Chinese sometimes take great pains to appear to be following global norms of behavior. This is embodied in China’s state-sanctioned narrative of its “peaceful rise” and quest for a new model of great power relations. The PRC has also demonstrated a growing desire to show leadership in the creation of new economic structures and institutional frameworks. Yet in reality, Chinese actions often run counter to their stated adherence to global norms. For example, as the Information Technology and Innovation Foundation has noted, fifteen years after China joined the World Trade Organization, the vision of China “embracing a rules-governed, market-based trade system has yet to materialize.” Instead, despite Chinese “adherence” to the WTO, China has adopted more aggressive mercantilist trade practices. In the South China Sea, China adheres to its own singular interpretation of the United Nations Convention on the Law of the Sea (UNCLOS) when it is in its interest, yet engages in the very actions it criticizes when acting within the exclusive economic zones (EEZs) of other states.

It is possible that Chinese acceptance of an anti-industrial espionage agreement falls within this rubric. China wants to be a global leader in cyberspace, as evidenced by its multilateral initiatives on cyberterrorism through the Shanghai Cooperation Organization and its involvement with the United Nations Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Yet Chinese proclaimed acquiescence to an anti-industrial espionage agreement may be just that, a façade.

Attribution in cyberspace provides room for governments to maneuver. China can be party to cyber agreements, while perpetuating its current actions. AsTimothy Thomas, a noted cyber expert on China has observed, Chinese spokespeople have plenty of experience denying their country’s involvement in cyber exploitation. Purported acquiescence to cyber norms, when combined with firm denials of intrusive cyber activities, allows China to “support a righteous cause” and not “lose face,” all while continuing its state-sponsored industrial espionage campaign.

Jennifer McArdle is a Fellow in the Center for Revolutionary Scientific Thought at the Potomac Institute for Policy Studies and a PhD candidate at Kings College London in the War Studies department. Follow her on Twitter:@jlmcardle01.

No comments: