Why the U.S.-China Cyber Spying Ban Will Inevitably Fail
On a cool fall day in late September, President Obama and Chinese President Xi Jinping stood together in the White House Rose Garden and pledged “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP), including trade secrets, or other confidential business information, with the intent of providing competitive advantage to companies or commercial sectors.” Obama added that the U.S. government would be watching closely to ensure that “words are followed by action.” In a seemingly strong sign of goodwill, the Chinese government had prior to the announcement already quietly arrested a number of hackers, identified as having stolen commercial secrets from American corporations.
While the Obama-Xi meetings did lead to some notable successes, such as the Chinese purchase of 300 Boeing airplanes, the agreement on cyberespionage is not one of them. Barely a day had passed since the announcement when CrowdStrike, a cybersecurity service provider, accused “Chinese government-affiliated actors,” of attempting to hack into their client’s networks. In a blog post, CrowdStrike noted that the intrusions were against technology and pharmaceutical sectors, which implied they were conducted with the goal of stealing IP and trade secrets.
The media immediately seized on this announcement with much excitement, but it should not have come as a surprise. There are five main reasons why the agreement was never really more than words:
1. Chinese unrestricted warfare includes peacetime economic warfare.
In 1999, People’s Liberation Army (PLA) colonels Qiao Ling and Wang Xiangsui published a text, entitled Unrestricted Warfare, which argued that modern warfare transcends the “matériel” of the military domain and includes information, economic and psychological operations. Moreover, unrestricted warfare was not simply a strategy to be operationalized at the onset of active hostilities; it could also be used in peacetime as a subcomponent of a strategy for long-term competition with the United States and other Western countries.
It is perhaps within this framework that the People’s Republic of China’s (PRC) use of economic cyberespionage can best be understood. The theft of IP and trade secrets is a form of economic warfare—it levels the economic and technological playing field, progressively diluting the core strengths of a competitor or potential adversary for strategic ends. Industrial espionage does not necessarily need to be aimed against classified systems to yield national security benefits. Many unclassified systems may contain information on technology and innovation that is currently under export control or, in the case of intrusions of software vendors, provide potential insight into latent vulnerabilities that can be leveraged for future purposes.
Past cyber-industrial espionage campaigns such as Titan Rain and Operation Aurora, both of which have been largely attributed to China, fit within this framework. In both cases, the targeted systems were unclassified, but the amount of data exfiltrated over a prolonged period of time—allegedly twenty-four months in the case of Titan Rain and about six in the case of Operation Aurora—undoubtedly provided some economic and intelligence benefit. Former FBI Assistant Director for Counterintelligence Dave Szady has dubbed this the “thousand grain approach”: the notion that most intelligence requirements can be met through the mass accumulation of open source data.
Given the centrality of such thinking in Chinese strategic thought, it is highly unlikely that industrial espionage could ever cease to exist after an agreement.
2. The Chinese R&D strategy supports acquiring foreign technology via espionage.