On a cool fall day in late September, President Obama and Chinese President Xi Jinping stood together in the White House Rose Garden and pledged “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP), including trade secrets, or other confidential business information, with the intent of providing competitive advantage to companies or commercial sectors.” Obama added that the U.S. government would be watching closely to ensure that “words are followed by action.” In a seemingly strong sign of goodwill, the Chinese government had prior to the announcement already quietly arrested a number of hackers , identified as having stolen commercial secrets from American corporations.
While the Obama-Xi meetings did lead to some notable successes , such as the Chinese purchase of 300 Boeing airplanes, the agreement on cyberespionage is not one of them. Barely a day had passed since the announcement when CrowdStrike, a cybersecurity service provider, accused “Chinese government-affiliated actors,” of attempting to hack into their client’s networks. In a blog post , CrowdStrike noted that the intrusions were against technology and pharmaceutical sectors, which implied they were conducted with the goal of stealing IP and trade secrets.
The media immediately seized on this announcement with much excitement, but it should not have come as a surprise. There are five main reasons why the agreement was never really more than words:
1. Chinese unrestricted warfare includes peacetime economic warfare.
In 1999, People’s Liberation Army (PLA) colonels Qiao Ling and Wang Xiangsui published a text, entitled Unrestricted Warfare , which argued that modern warfare transcends the “matériel” of the military domain and includes information, economic and psychological operations. Moreover , unrestricted warfare was not simply a strategy to be operationalized at the onset of active hostilities; it could also be used in peacetime as a subcomponent of a strategy for long-term competition with the United States and other Western countries.
It is perhaps within this framework that the People’s Republic of China’s (PRC) use of economic cyberespionage can best be understood. The theft of IP and trade secrets is a form of economic warfare—it levels the economic and technological playing field, progressively diluting the core strengths of a competitor or potential adversary for strategic ends. Industrial espionage does not necessarily need to be aimed against classified systems to yield national security benefits. Many unclassified systems may contain information on technology and innovation that is currently under export control or, in the case of intrusions of software vendors, provide potential insight into latent vulnerabilities that can be leveraged for future purposes.
Past cyber-industrial espionage campaigns such as Titan Rain and Operation Aurora , both of which have been largely attributed to China, fit within this framework. In both cases, the targeted systems were unclassified, but the amount of data exfiltrated over a prolonged period of time—allegedly twenty-four months in the case of Titan Rain and about six in the case of Operation Aurora—undoubtedly provided some economic and intelligence benefit. Former FBI Assistant Director for Counterintelligence Dave Szady has dubbed this the “ thousand grain approach ”: the notion that most intelligence requirements can be met through the mass accumulation of open source data.
Given the centrality of such thinking in Chinese strategic thought, it is highly unlikely that industrial espionage could ever cease to exist after an agreement.
2. The Chinese R&D strategy supports acquiring foreign technology via espionage.
The impetus for Chinese industrial espionage is also captured in Beijing’s research and development (R&D) strategy. China’s “National Medium and Long-Term Plan for Science and Technology Development (2006-2020),” known in the West as the MLP , describes itself as being the “grand blueprint for science and technology development” required to realize the “great renaissance of the Chinese nation.” While the MLP does promote a policy of indigenous innovation, it also advocates “enhancing original innovation through co-innovation and re-innovation based on the assimilation of technologies.” Accordingly, many international technology companies consider the MLP an official green light for industrial espionage.
Furthermore, the U.S. Counterintelligence Executive has detailed how aspects of China’s science and technology modernization strategy, known as the “863 Program,” explicitly provides funding and guidance on how to clandestinely acquire U.S. technology and other sensitive information for the purpose of the PLA, in addition to funding indigenous R&D efforts. Of the nine foreign espionage cases that have been prosecuted in the States between 1996 and 2011, three were linked to the 863 Program.
3. Cyber is fragmented across the PRC; an agreement may not have consensus.
As John Lindsey so aptly notes, “there is no single Chinese view on cybersecurity and cyberwarfare, just as there is no one Western view.” While China does have a one-party system, Chinese policy on cybersecurity is in reality highly fragmented, both functionally and regionally. The Party, State Council, PLA and provincial governments thus all have differing roles and responsibilities. When combined, the multiplicity of actors, lack of transparency and absence of effective policy coordination in the Chinese system create a “Wild East” approach to cybersecurity policy. It is therefore possible that even though ranking members of the Communist party may be in favor of an anti–corporate espionage agreement, other government entities are not.
4. On the other hand, Chinese e-crime capabilities are well-developed. If the PRC wants to truly stop large-scale corporate theft, it conceivably could.
There has been a general trend in China whereby former “black hat” hackers are integrated into the “white hat” PRC mainstream. For instance, Peng Yinan, who is the alleged cofounder of the Chinese hacking group Javaphile, is now believed to be conducting research on behalf of the government. In 2008, Yinan published two academic articles on cyberespionage techniques, under Shanghai Jiaotong University’s Information Security Engineering Institute’s affiliation. The Institute has been a recruiting pool for both the PRC’s Foreign Intelligence and for the PLA.
In 2009, following a series of high-profile foreign government web defacements, the Chinese government expanded their anti-hacking laws. Prior to 2009, the anti-hacking laws only prohibited intrusions into PRC government computer systems; however, post-2009 the legislation also included “patriot” hackers. The 2009 anti-hacking developments were accompanied by a string of high-profile arrests. Since the laws’ expansion, a large number of hacker communities have been forcibly integrated into legitimate “white hat” entities, such as computer security companies, consulting firms and academia. These entities, in turn, forged closer ties with Beijing and the military. Given that hackers are structurally incorporated into the government apparatus, it is very likely that some corporate cyberespionage attacks are implicitly endorsed by the PRC .
Furthermore, while cybersecurity may be bureaucratically fragmented across the system, this does not mean that Beijing lacks credible e-crime enforcement capabilities. As demonstrated by the 2009 arrests, the PRC has the capability to clamp down on hackers when it deems doing so to be in its interest. For instance, this past summer the PRC launched a six-month campaign called “ Operation Clean Internet ,” which sought to arrest people for alleged cybercrimes, ranging from hacking to spam text messages and online scams. According to the Ministry of Public Security, by September 15,000 people had been arrested.
5. China’s actions speak louder than its professed acquiescence to global norms.