Ahead of Xi’s Visit, U.S. Struggling to Stop China’s Hackers

President Barack Obama has a blunt message for Beijing’s hacker army: You’re good, but we’re better. “If we wanted to go on offense,” he boasted to a group of business leaders last week, “a whole bunch of countries would have some significant problems.”

The tough talk reflects Obama’s insistence that the United States has ways of retaliating for what he has described as the rampant theft of American intellectual property by Chinese state-sponsored hackers, an issue likely to dominate the president’s meeting with his Chinese counterpart, Xi Jinping, later this week. But Obama’s bluster underlines what has become a depressing reality for the president as he approaches the end of his tenure in office: Despite years of threats, cajoling, and indictments aimed at deterring China from stealing American commercial secrets, Washington has made little progress in developing a set of tools that would deter Beijing’s cyberspies from breaching the networks of major companies like Westinghouse and then passing on their trade secrets to Chinese state-owned enterprises. As a result, the administration is considering rolling out a limited set of sanctions against Chinese firms suspected of benefiting from economic espionage — and perhaps the hackers who carried out the operations as well.

Lacking the tools to force China to give up its commercial espionage, Obama and his top spy, Director of National Intelligence James Clapper, have spoken in recent weeks of the need for a “basic international framework” to establish “rules of the road” for cyberspace. With Xi in town, Beijing and Washington are negotiating what the New York Times reported on Saturday as an arms control agreement for cyberspace that would bar either country from waging a hacking campaign against the other nation’s critical infrastructure.

The White House refused to comment on the news, which would reportedly involve both countries endorsing a U.N. experts group report that Chinese and U.S. officials were involved in drafting and that lays out a set of basic principles for states’ use of cyberweapons. That report recommends that states “should not conduct or knowingly support” any “activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” By endorsing that message, the United States and China would appear to rule out peacetime attacks on things such as power grids and financial systems.

Moreover, the U.N. report, dated June 26, 2015, urges states not to support proxies who carry out malicious activity online and to ensure that such activity does not take place within its borders. According to U.S. claims, China has in the past used hackers working as proxies for the state to shield its responsibility for online attacks.

In a speech Monday at George Washington University, National Security Advisor Susan Rice called on China to halt what she called “state-sponsored, cyber-enabled economic espionage.” “This isn’t a mild irritation,” she said. “It puts enormous strain on our bilateral relationship, and it is a critical factor in determining the future trajectory of U.S.-China ties. Cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation, and it needs to stop.”

But the report that is the basis of this alleged diplomatic accord between China and the United States says nothing about outlawing the theft of intellectual property. James Lewis, a cybersecurity expert at the Center for Strategic and International Studies who participated in the drafting of the U.N. report, said an agreement that “ignores the source of tension” would be “a major concession by the United States.”

National Security Council spokesman Mark Stroh refused to comment. The Chinese Embassy in Washington did not return requests for comment.

At the heart of that conflict lies a very basic disagreement between Chinese and American spies as to what constitutes legitimate intelligence activity. Both Washington and Beijing are willing to accept that their opponent will carry out a certain amount of digital espionage — penetrating military computers, for instance, or eavesdropping on official communications — but the United States argues that China violates the unwritten rules of international espionage when it takes the information it steals and passes it on to Chinese state-owned companies.

“The problem is that the Chinese define ‘national security’ to include ‘economic security,’ which includes state-owned industries,” said Patrick Cronin, the senior director of the Asia-Pacific Security Program at the Center for a New American Security. “For the United States, there is a gap on that issue. We don’t think that the government should be involved in making companies rich.”

In trying to convince China to stop passing purloined secrets to its state enterprises, the United States is making a narrow argument, for American spies also target companies. Documents published by NSA whistleblower Edward Snowden reveal that the U.S. intelligence community surreptitiously gained access to Brazilian state energy giant Petrobras, a European tech manufacturer, and Chinese telecom firm Huawei. No evidence has been presented that intelligence obtained from those operations was passed along to U.S. companies for commercial benefit, but from Beijing’s perspective it’s not difficult to make the case that American spies aren’t so different from their Chinese counterparts.

As a result, when former Florida governor and GOP presidential candidate Jeb Bush made a little-noticed comment at last week’s Republican debate that the United States “should use offensive tactics as it relates to cybersecurity to send a deterrent signal to China,” real spies scoffed.

“What are we going to do?” asked former NSA and CIA Director Michael Hayden. “Steal Chinese state secrets? We do that anyway!” Hayden said he favored the application of sanctions as a way to “use all the tools of statecraft to encourage people toward proper behavior.”

When Obama talks about establishing some “rules of the road” for cyberspace and the competition there between China and the United States, he seems to imply that there are currently no limits whatsoever on cyber-related behavior. And that isn’t quite true. Although commentary and punditry on the nature of warfare in cyberspace often approaches the hyperbolic — then-Defense Secretary Leon Panetta’s 2012 warning that the United States was facing an imminent “cyber-Pearl Harbor” is a classic example of a dire prediction that hasn’t come to pass — there are in fact several categories of attacks that state-hackers on both sides of the Pacific have so far forsworn.

“I see no evidence that the Chinese have been or would be interested in the destruction of American data, or disabling American networks, or using a cyberweapon to create physical damage,” Hayden said. “What I see in Chinese behavior is simply the theft of information.”

In other words, the kind of activity China would be giving up under the agreement is activity that it isn’t carrying out and that Beijing apparently does not see as being in its best interests anyway. Commercial espionage, on the other hand, is very much something China sees as a vital interest. “Trying to deter China from theft of intellectual property is inherently hard. They’re highly motivated, our systems have generally been unprotected, and there have been no penalties of any kind for a long time,” said a former senior defense official, who requested anonymity to candidly assess the difficulties facing the U.S. government of altering Chinese behavior.

Economic priorities further incentivize Chinese economic espionage. “It’s not just about feeding their people,” the official added. “Over the long term, they need to have economic growth to support their view of political stability.”

Confronted with a limited set of options to influence Chinese behavior, the U.S. government has in recent weeks been locked in an intense debate over whether to hit China with one of the few tools on hand: financial sanctions. Last week, Obama himself hinted that sanctions directed at China are in the pipeline. “We are preparing a number of measures that will indicate to the Chinese that this is not just a matter of us being mildly upset but is something that will put significant strains on the bilateral relationship if not resolved,” he said during an appearance at the Business Roundtable. “We are prepared to [use] some countervailing actions in order to get their attention.”

According to three former senior administration officials familiar with the contents of the internal debate, U.S. intelligence and military officials generally pushed hard in the run-up to Xi’s visit for sanctions that would likely target companies that have benefited from economic espionage and perhaps the hackers who carried out the operations. Diplomatic and economic officials resisted that move and cautioned against a measure they believed would blow up a summit with China’s top leader that will also feature discussion on a range of key issues besides cybersecurity, among them climate change and the global economy.

If this week’s talks end without a cyber-deal — and widespread Chinese theft of U.S. intellectual property continues unabated — the administration will have to either actually impose the sanctions or be exposed for having made what turned out to be an empty threat.

“The failure to apply sanctions before Obama leaves office would be a significant error, and I think most people within the administration understand that it would be an error not to do so,” said the former senior U.S. defense official.

The sanctions debate within the administration partly focuses on whom to target in order to achieve a deterrent effect on Chinese economic espionage. “One would be a reasonably high-level Chinese official involved in a cyberattack on the United States,” said a former administration official, who asked for anonymity to discuss internal deliberations. “The other meaningful target would be a company that has some exposure in the United States, which would face some losses as a result.”

In order to have a chance at successfully deterring Chinese intellectual property theft, such an effort would likely need to be sustained over some time. “The way you really get impact on sanctions is having meaningful actions on a serial basis,” said a former National Security Council official who worked on sanctions policy during his time in government. “You do one entity and then another. It’s a trunk and branch approach.” Moreover, using sanctions as a deterrent tool in cyberspace presents some unique challenges. Sophisticated actors obscure their physical location by technical means and commandeer third party networks to carry out their attacks. “Finding the ‘parent,’ so to speak, is harder and harder. It’s possible, but it’s a heavier lift,” the official said.

So in the emerging great power rivalry between China and the United States, the two countries are now approaching a point in cyberspace where they can try to salvage a bit of cooperation or continue down a path of further competition that will see the United States likely apply sanctions. The diplomatic agreement may provide a small measure of cooperation, and there are signs China may be stepping back its campaign of commercial espionage, with cybersecurity experts saying this week that they’ve seen a slight reduction in Chinese attacks. But there’s still little evidence to indicate that the United States has solved the riddle of how to end Chinese commercial espionage.

Photo credit: JEWEL SAMAD/AFP/Getty Images