A New Old Threat
Countering the Return of Chinese Industrial Cyber Espionage
China is once again conducting cyber-enabled theft of U.S. intellectual property to advance its technological capabilities. To combat the problem, the United States should build a multinational coalition, sanction Chinese companies, and strengthen cyber defenses.
December 6, 2018
After a three-year hiatus, the cyber-enabled theft of intellectual property by Chinese hackers is once again a point of contention in the U.S.-China relationship. Cybersecurity firms have reported new attacks on U.S. companies, and Donald J. Trump administration officials have claimed that China is ignoring a 2015 agreement in which both countries pledged not to conduct hacking to benefit commercial entities.
While the Trump administration is mounting a broad campaign to pressure Beijing into ending the theft of intellectual property (IP) and trade secrets from U.S. companies, more can be done to fight cyber-enabled industrial espionage. With the return of Chinese hacking, the United States should develop an international attribution-and-sanction regime; sanction the companies that benefit from cyber espionage; and strengthen counterintelligence outreach to startups and small companies in artificial intelligence (AI), quantum, semiconductor, telecommunications, and other sectors central to Chinese technology strategies.
For years, Chinese hackers carried out a massive campaign of cyber-enabled theft of intellectual property and trade secrets against U.S. companies. Many of the targeted companies operated in sectors that Beijing believes are important for future innovation, such as aerospace, semiconductors, and information technology. Although it is hard to measure the effect of cyber espionage on U.S. competitiveness, an independent commission estimated the annual loss to the U.S. economy from the theft of intellectual property to be more than $300 billion, with 50 to 80 percent of such theft by China.
In a speech at the Asia Society in early 2013, National Security Advisor Thomas Donilon warned of “cyber intrusions emanating from China on an unprecedented scale.” Months later, U.S. President Barack Obama confronted Chinese President Xi Jinping with the issue at the Sunnylands Summit. In May 2014, the Department of Justice indicted five People’s Liberation Army (PLA) officers for stealing trade secrets from Westinghouse, U.S. Steel, and other companies.
In the summer of 2015, news reports suggested that the administration was ready to use Executive Order 13694 [PDF], which authorizes sanctions against companies or individuals that profit from cyber theft, to sanction state-owned enterprises and senior Chinese officials associated with cyber theft. These punishments would have overshadowed President Xi’s first summit in Washington, and in response, Beijing dispatched Meng Jianzhu, one of the Chinese Communist Party’s highest-ranking officials, to negotiate an agreement.
Standing on the steps of the Rose Garden in September 2015, Obama and Xi vowed that neither the United States nor China “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information,” for commercial advantage. Thus the announcement of the cyber pact appeared to be the result of a diplomatic and legal strategy referred to as naming and shaming. Washington called out specific acts of malfeasance in order to deter future hacks, and indicted the perpetrators when it could identify them.
The announcement suggested that Washington had successfully defined a norm of state behavior in cyberspace, distinguishing between acceptable and unacceptable hacking. According to the administration’s definition, hacking for national security purposes was to be expected by all states and was fair game. Hacking private companies for commercial gain, on the other hand, was not. But the norm was broad and open to interpretation. Attacks on defense contractors and producers of technologies with both civilian and military use might not be covered by the agreement, because they could be motivated by national security, not competitiveness.
Beijing had earlier argued that it was hypocritical for the United States to call out Chinese cyber operations as violating international norms, especially in the wake of the revelations of widespread U.S. espionage activities by Edward Snowden. But Chinese leaders embraced the distinction—not only in the 2015 U.S.-China agreement, but also in similar agreements it reached with Australia, Canada, and the United Kingdom that barred commercial cyber theft. China also signed off on Group of Seven [PDF] and Group of Twenty statements that proscribed cyber industrial espionage.
Despite initial skepticism about the agreement’s durability and efficacy, cybersecurity companies recorded a steep decline in Chinese attacks against U.S. companies in the first year after it was concluded. FireEye released a report in June 2016 that showed that the number of network compromises by the China-based hacking groups they tracked dropped from sixty in February 2013 to less than ten by May 2016. However, experts warned that the decrease in the number of publicly disclosed attacks might be the result of Chinese attackers becoming more sophisticated and harder to trace. The decline also appeared to predate the agreement, suggesting that the decline was as much the result of internal forces, such as the consolidation of control over PLA cyber units through the creation of the Strategic Support Force (the PLA’s space, cyber, and electronic warfare arm), as it was of U.S. diplomatic pressure.
Over the last year, however, CrowdStrike, FireEye, PwC, Symantec, and other cybersecurity companies have reported new Chinese computer attacks on U.S. companies. In November 2017, the Justice Department indicted three Chinese nationals employed by the Chinese cybersecurity firm Boyusec, charging them with hacking into the computer systems of Moody’s Analytics, Siemens AG, and global positioning system (GPS) developer Trimble Inc. “for the purpose of commercial advantage and private financial gain.” Rob Joyce, a senior official in the National Security Agency and former White House cybersecurity coordinator, claimed that China violated the 2015 agreement, saying in November 2018 that “it’s clear that they [China] are well beyond the bounds today of the agreement that was forged between our countries.”
There are two possible reasons Chinese hackers have apparently restarted their cyber-enabled theft of intellectual property. First, Beijing might never have intended to give up cyber espionage entirely but instead saw an opportunity to gain diplomatic advantage in implementing changes it already planned to make—shifting espionage from relatively noisy PLA hackers to more skilled operators in the Ministry of State Security (MSS). Although this would result in a temporary downturn in activity as hacking infrastructure was reoriented, its main purpose was to allow the PLA to focus on warfighting operations and reduce the number of incidents the United States could attribute to China. The agreement also prevented Xi’s visit from being ruined or cancelled. In effect, Beijing always intended to continue commercial espionage—it just intended to stop getting caught.
Second, the return to industrial hacking might be a reaction to the increased political and trade tensions between Washington and Beijing. Even as Beijing decreased cyberattacks on U.S. networks in 2015, it increased its attacks in other countries, particularly in Southeast Asia, which suggests that the downturn was contingent on diplomatic considerations. With the Trump administration restricting Chinese investment in high-technology sectors, blocking Chinese telecommunication companies from doing business in the United States, and levying tariffs against Chinese exporters, Chinese policymakers might now believe they have little to gain from continuing to honor the agreement.
While China might believe it can reach a stable equilibrium of espionage with the United States, in which the MSS deploys a level of tradecraft equivalent to the hacking conducted by the National Security Agency, the Trump administration has demanded that Beijing halt state-sponsored cyberattacks against commercial networks as a prerequisite to any de-escalation of the trade war. The administration has also ramped up the law enforcement response. In November 2018, then Attorney General Jeff Sessions announced a China Initiative to identify priority Chinese trade theft cases, pool FBI and Department of Justice resources to combat Chinese economic espionage, and evaluate whether additional legislative and administrative authorities would be required to protect U.S. assets from foreign economic espionage.
In addition, U.S. Cyber Command released a new “defending forward” cyber strategy to frustrate the operations of its online adversaries, including Chinese operators. The strategy [PDF], released in September, states that U.S. operators “will disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” “It’s about making it harder for them [foreign hackers] to succeed,” Joyce said of the strategy at the Aspen Cyber Summit. “Some of that will be taking away the infrastructure they’re using. Some of it [is] exposing their tools.”
These are useful first steps, but the United States should build out the strategy in three ways.
First, the United States should apply to Chinese cyber espionage the broad and coordinated model of attribution and sanctions it has developed with its intelligence partners and other allies in response to Russian cyber operations. In February 2018, seven nations (the United States, Australia, Canada, Denmark, Estonia, Lithuania, and the United Kingdom) attributed the NotPetya cyberattacks to Russia. Eight months later, U.S., Australian, Canadian, Dutch, and UK officials accused Russian military intelligence of a range of cyber activities, including hacking the Democratic National Committee and the World Anti-Doping Agency. Chinese hackers have also targeted companies in Australia, Japan, and Europe, and in response, Washington should mobilize large-scale, coordinated attribution with these same partners—especially countries such as Canada, Germany, and others victimized by Chinese commercial cyber theft—followed by concrete sanctions. While the Trump administration has so far shown little inclination to work with allies on its China policy, and is levying tariffs on some of these potential partners, a broad coalition would frame industrial cyber espionage as not just a point of contention in the U.S.-China relationship but also as a point of Chinese intransigence in the face of an increasingly accepted international norm.
Second, administration officials should move past indictment to targeted sanctions on companies, universities, researchers, and individuals caught using cyberattacks to steal U.S. intellectual property—a step they have reportedly mulled. Since there is little chance that indicted hackers will ever face a criminal trial (unless they travel or are lured to countries with extradition treaties with the United States), Washington should also seek to prevent future attacks by punishing those who benefit from the thefts, especially Chinese companies that do business in the United States. The Department of Commerce, for example, recently barred the exports of U.S. technology to a Chinese chip manufacturer accused of recruiting individuals to steal information from Micron, a semiconductor company. Similar punishments should be levied for cyber espionage. Executive Order 13694 already authorizes the Treasury Department to sanction entities engaged in cyber-enabled corporate espionage.
Third, the U.S. government should help small companies increase their cyber defenses against Chinese hackers and strengthen counterintelligence to identify sectors and companies under threat. Small companies and start-ups in AI, quantum, semiconductor, telecommunications, and other sectors central to Chinese technology strategies are unlikely to be aware of the threat of Chinese actors or have the resources and expertise to reduce vulnerabilities. Counterintelligence officials should brief firms in these sectors on cybersecurity best practices, and, since most employees at small tech companies are unlikely to have security clearances, declassify information that would make the warnings more credible and actionable. In addition, companies and intelligence agencies should consider a strategy of “poisoning the well”—planting fake data on networks to make it harder for the hackers to know what is useful and what is not.
The administration should not expect an easy resolution to its industrial hacking problem. Beijing will continue to employ industrial policies to close the technological gap with the United States, and Chinese companies and individuals will continue to have incentives to commit illicit forms of technology transfer, including cyber-enabled theft, in order to acquire new capabilities. Changing Beijing’s behavior will be a long-term endeavor, the success of which will be rooted in building a multinational coalition, punishing companies that benefit from cyber espionage, and strengthening cyber defenses at home.
This Cyber Brief is part of the Digital and Cyberspace Policy program. The Council on Foreign Relations takes no institutional positions on policy issues and has no affiliation with the U.S. government. All views expressed in its publications and on its website are the sole responsibility of the author or authors.