Lucas Ashbaugh is an intern with the Digital and Cyberspace Policy program at the Council on Foreign Relations. You can follow him @LucasAshbaugh.
Until last week, China's compliance with the Obama-Xi agreement against conducting cyber-enabled espionage for commercial gain was generally viewed as a success. Since the deal was struck in 2015, the Director of National Intelligence, FireEye and other private cybersecurity firms have reported an overall decline in Chinese cyber espionage against commercial targets. Last week's report from the White House justifying its proposed tariffs on Chinese tech goods seems to revise that assessment. It suggests that China has not abided by the deal given that Chinese cyber espionage against U.S. companies persists, even though the report acknowledges that it has declined.
To further limit Chinese access to sensitive commercial technologies, U.S. policymakers are looking to reform the Committee on Foreign Investment in the United States (CFIUS), an entity charged with reviewing foreign acquisitions for national security considerations. CFIUS has already begun reviewing more transactions, but Congress is considering bipartisan legislation to expand its mandate to further broaden the scope of what it can review.
You’re likely to hear arguments over the coming weeks that the Donald J. Trump administration's actions and a stricter CFIUS regime will reduce the risk that China will pilfer sensitive U.S. technologies. Don’t buy it. In fact, allowing CFIUS to review more transactions might actually lead to a resumption of cyber-enabled commercial espionage because both issues are linked.
The decline of Chinese cyber-enabled commercial espionage is not necessarily the direct result of the 2015 deal. According to FireEye data, Chinese commercial espionage was on the decline a year before the agreement came to be. There are a few factors that can explain this, such as Xi Jinping’s efforts to rid the People’s Liberation Army of corruption, and curb the practice of officers working for the state by day and accepting hacking-for-hire gigs by night to supplement their incomes.
Furthermore, the Chinese government probably realized that it didn’t need to hack U.S. companies to obtain advanced technologies—state-backed investors could buy them outright through legal channels. In 2014, the same year FireEye says the cyber espionage started to drop, there was a dramatic increase in Chinese direct acquisitions of U.S. ICT and biotech companies according to the Rhodium group, a level of investment that has remained steadily high since.
Similarly, CFIUS reported a 29 percent increase in investigations from 2014 and 2015, and an additional 20 percent increase between 2015 and 2016. Though these increases cannot be directly attributed to China, it remains the country whose transactions CFIUS scrutinizes the most. In 2017 alone, there were eighty-seven announced Chinese acquisitions of U.S. companies, a large increase from already growing historical trends. Although CFIUS doesn’t reveal the data on these investments’ values, previous subject matter expert reviews of this activity have shown that the value of Chinese investments into the United States tripled from 2015 to 2016, reaching a value of over $180 billion.
Policymakers are correct. The CFIUS process needs reform. China shouldn’t be able to use loopholes like using joint ventures or minority investments to get around the potential of CFIUS reviews. Furthermore, the status-quo is untenable—Chinese companies have a lot more freedom to buy up firms in the United States than vice versa. However, making it harder for Chinese companies to legally buy U.S. firms through a reformed CFIUS could very well lead to an uptick in Chinese cyber espionage, much like squeezing the air from one part of a balloon only to see it swell into another. If U.S. policymakers want to reform CFIUS to make it harder for China to invest in the United States, they will need to be prepared to renew the pressure on China to curb its cyber espionage activities for commercial gain.
U.S. policymakers have a difficult task ahead of them. They have to pressure China in a way that balances national security interests and economic fairness while also standing firm against cyber espionage. Simply tightening CFIUS and slapping tariffs on Chinese tech goods is unlikely to achieve that balance.