Cyber Threats and China: US Policy Conundrums
In August 2015, on the eve of President Xi Jinping’s visit, White House leaks suggested that the United States would sanction commercial cyber espionage originating in China. But the warning was withdrawn two weeks later. The two presidents will surely discuss cyber threats, including commercial cyber espionage, when they meet this week, and the United States will likely adjust future reprisals to reflect the outcome of talks.
Even if presidential talks are unsatisfactory from a US standpoint, addressing cyber threats creates multiple policy conundrums:
- distinguishing between cyber warfare, military cyber espionage, and commercial cyber espionage;
- identifying the perpetrator; and
- designing a suitable response.
The Chinese are well aware of all three conundrums, and that knowledge will shape the talks between President Obama and President Xi. Before commenting on these conundrums, it may be useful to summarize the dimensions of commercial cyber espionage.
The Payoff and Cost of Commercial Cyber Espionage
Trade secrets are usually acquired through costly research and development (R&D) and long years of “learning by doing.” By contrast, commercial cyber espionage offers a quick and low cost means of acquiring trade secrets. If not deterred by effective enforcement and stiff penalties, cyber espionage represents an enormously attractive shortcut to the frontier of production and distribution techniques.
Major targets for commercial cyber espionage are firms that develop innovative technology. According to cyber security company FireEye’s reports, China hacks US companies in electronics, telecommunications, robotics, data services, pharmaceuticals, mobile phone services, satellite communications and imagery, and business applications software. These industries align with the focus areas addressed in China’s strategic emerging industries initiative as a part of its 12th Five-Year Plan.
A report by the Center for Strategic and International Studies estimates the overall economic losses caused by cyber espionage and cyber crime at approximately $100 billion per year. This figure represents a combination of lost profits, exports, and employment. The US Department of Commerce calculates that every $1 billion of US exports supported 5,796 jobs in 2014. The amount of US exports lost through cyber espionage is unknown, but job losses in innovative tech industries could run into the tens of thousands.
Distinguishing the Type of Threat
China and the United States can probably agree on the broad contours of cyber warfare and perhaps declare “no first use” policies. This might be a headline outcome from the presidential visit. Deploying cyber malware to collapse an electrical grid, telecommunications, the Internet, or the banking system are clear examples of warfare. Beyond those provocations, considerable gray area exists. What about disabling the website of a single large firm, such as Amazon, or creating online chaos for a single large bank, such as Citigroup? However, if Obama and Xi can agree on the broad contours of cyber warfare, a China-US working group can delve into such details. This would represent a very positive result of the Obama-Xi summit.
As President Obama acknowledged last week, cyber military espionage is a staple of modern statecraft. The likely Chinese attack that compromised some 22 million files held by the Office of Personnel Management falls within this category. As former CIA Director Michael Hayden observed, the US National Security Agency (NSA) would like to get its hands on similar personnel records of foreign adversaries. Since military cyber espionage is a ubiquitous activity, and since the United States has considerable skill in this sphere, with heavy infiltration of China reported, Chinese military espionage does not call for a targeted response.
But the distinction between military cyber espionage and commercial cyber espionage is not always obvious. The United States and China ought to agree that cyber theft of Amazon’s or Alibaba’s trade secrets amounts to commercial espionage. But they might disagree about cyber espionage designed to capture the trade secrets of China Mobile or T-Mobile: military or commercial?
A bigger difficulty arises in reaching agreement that governments should abstain from commercial espionage. In the US view, governments should not only abstain but energetically prosecute all forms of commercial espionage. China probably takes a different view. Like many countries, the United States has laws prohibiting commercial espionage, by cyber or other means, within its territory. Numerous criminal prosecutions have been brought under the Economic Espionage Act of 1996. China probably has parallel statutes, but few enforcement actions are reported.
Identifying the Perpetrator
Skilled computer hackers disguise their location. Before launching economic sanctions, or “hacking back,” the United States would want a high degree of certainty that it has identified the right target. But in this context, does “high degree” mean 90, 95, or 99 percent certain? And is the United States prepared to disclose the evidence underlying its identification of the target?
The headline cyber attack of 2014 was directed against the Interview, a Sony Pictures movie. Among other things, the hackers threatened to bomb theaters that did not cancel the film. US intelligence officials claimed that North Korea was behind the attack, and in January 2015 President Obama signed an executive order imposing sanctions against North Korean entities and government agencies, and 10 government officials. While attribution to North Korea seemed eminently plausible, since the object of this low comedy film was Kim Jong Un, technical evidence was never disclosed.
Nor, with respect to the current concern about Chinese cyber espionage, has the US government revealed technical evidence linking such activity to well-defined Chinese government agencies, firms, or individuals. If President Obama decides to implement targeted sanctions after the US-China summit, the United States should disclose the technical basis of its attribution.
Designing Effective Responses
As a self-help response, on July 23, 2015, the FBI launched its nationwide economic espionage awareness campaign alerting US firms to the threat posed by cyber espionage to their trade secrets. The campaign was triggered by the rapid proliferation of cases reported in 2014, increasing 53 percent over 2013, with China as a major perpetrator. Five Chinese officers were also indicted, but they are safely at home in China and may never stand trial in a US court.
Laying the groundwork for an international response, on April 1, 2015, President Obama signed Executive Order 13694 declaring the cyber threat a national emergency and “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Under this executive order, the United States can impose sanctions against hackers who threaten US national security or the economy. The executive order encompasses cyber warfare and commercial cyber espionage but skirts military cyber espionage. Cited activities include attacking critical infrastructure, disrupting computer networks, and stealing intellectual property, trade secrets, or personal information for commercial gain. Within the long reach of US jurisdiction, the assets of individuals and entities found to engage in cyber warfare or commercial cyber espionage can be frozen. Commercial transactions through their bank accounts can be prohibited.
Executive Order 13694 said nothing about “hacking back.” Silence means this form of reprisal remains on the table for potential deployment by the US government, if not a condoned response by US firms.
After President Xi’s Visit?
President Obama has laid the legal groundwork, through Executive Order 13694, for a very strong economic response to commercial cyber espionage, when the perpetrators can be identified. He has not committed the United States to abstain from hacking back. Indeed, in recent remarks at a meeting of the Business Roundtable, President Obama asserted “we are preparing a number of measures that will indicate to the Chinese that this is not just a matter of us being mildly upset, but is something that will put significant strains on the bilateral relationship if not resolved, and that we are prepared to [take] some countervailing actions in order to get their attention.” In the aftermath of President Xi’s visit, it remains to be seen whether the incidence of such espionage will drop sharply. If not, will the United States publicly reveal its evidence for identifying perpetrators, and will it impose the full weight of authorized sanctions? Or perhaps hack back in exceptional cases? Stay tuned.
 Ellen Nakashima, “U.S. developing sanctions against China over cyberthefts,” Washington Post, August 30, 2015.
 Ellen Nakashima, “U.S. won’t impose sanctions on Chinese companies before Xi visit,” Washington Post, September 14, 2015.
 Trade secrets include all forms of confidential business information that the owner seeks to confine within the walls of the firm. Companies often prefer to guard their intellectual property as trade secrets rather than as patents, since patents require public disclosure of essential features. However, once disclosed in published reports, trade secrets no longer enjoy legal protection, whereas patents typically have a life of 21 years.
 See more details in Jen Weedon, Testimony before the U.S.-China Economic and Security Review Commission, June 15, 2015 (accessed on September 14, 2015).
 China’s 12th Five-Year Plan prioritizes nuclear, wind, and solar energy; energy conservation and environmental protection; drugs and medical devices; rare earth and high-end semi-conductors; information technology; aerospace; telecommunications; and clean energy vehicles.
 Center for Strategic and International Studies, Net Losses: Estimating the global cost of cybercrime, June 2014. This $100 billion figure falls in the middle of available estimates, which run from $14 billion to $350 billion. See chapter 16 in C. Fred Bergsten, Gary Clyde Hufbauer, and Sean Miner, Bridging the Pacific: Toward Free Trade and Investment between China and the United States, Peterson Institute for International Economics, 2014.
 Chris Rasmussen and Martin Johnson, “Jobs Supported by Exports 2014: An Update,” Office of Trade and Economic Analysis in the Department of Commerce, March 4, 2015 (accessed on September 14, 2015).
 Barack Obama, “Remarks by the President to the Business Roundtable,” Washington, September 16, 2015 (accessed on September 21, 2015).
 Data that was stolen includes the information of employees about “the background checks, security clearances, job assignments, job performance and training of affected federal employees [that] would serve Chinese actors to launch spear phishing attacks.” See Paul M. Tiao, Testimony before the U.S.-China Economic and Security Review Commission, June 15, 2015 (accessed on September 14, 2015). Even if the compromised data did not include the records of US CIA employees, a process of elimination might allow the hackers to identify those posted abroad under diplomatic cover. See Economist, “Trouble Shooting,” September 12, 2015, p. 27.
 See Damian Paletta, “Former CIA Chief Says Government Data Breach Could Help China Recruit Spies,” Wall Street Journal, June 15, 2015.
 This was not always the US view. A 1998 National Research Council report stated that the NSA boasted about the contribution of its Signals Intelligence (SIGINT) to US firms, and contemporaneous comments by then CIA Director Stansfield Turner lauded the benefits of economic espionage. Since that time, US views on commercial espionage have radically changed. See Claude Barfield, “The Flawed US indictment of Chinese hackers,” techpolicydaily.com, June 6, 2014.