FOREIGN governments and companies have long suspected that the Chinese hackers besieging their networks have links to the country’s armed forces. On February 19th Mandiant, an American security company, offered evidence that this is indeed so. A report, the fruit of six years of investigations, tracks individual members of one Chinese hacker group, with aliases such as Ugly Gorilla and SuperHard, to a nondescript district in residential Shanghai that is home to Unit 61398 of the People’s Liberation Army. China has condemned the Mandiant report. On February 20th America announced plans to combat the theft of trade secrets.

Mandiant claims that hackers at Unit 61398 have stolen technology blueprints, negotiating strategies and manufacturing processes from more than 100, mainly American, companies in a score of industries (see article). Its report does not name the victims, but a related New York Times investigation has found evidence that hackers targeted a company providing internet security for American spooks. The hackers also gained access to the systems of an American defence contractor. Perhaps most worrying, they broke into networks of a company that helps utilities to run North American pipelines and power grids. Nobody knows how many billions of dollars cybercrime costs businesses. But pretty much everyone has come to believe that China is the most egregious offender.

America is not an innocent in the world of cyber-spying. It does plenty itself, and acknowledges that these operations are a legitimate part of national security. At the same time, however, it should do more to promote the idea that everyone would gain from “cyberarms control” to set the rules of engagement.

The Mandiant report shows China’s definition of national security includes outright theft. One lesson is that all companies need urgently to upgrade their defences. President Barack Obama has announced measures for greater co-operation between American firms and government agencies to share information. Many companies have been too scared to admit they have been hacked, for fear of alarming clients and investors. In their own interests, they need to open up.

America also needs to make it clear to China that state-sponsored crime is unacceptable. Until now the United States has tended to complain about China’s cyberthieves behind closed doors in discussions with Chinese officials. But with more evidence emerging of China’s flagrant abuses, more naming and shaming should be considered.

Control, Alt, Delete

There are lessons for China’s new leader, too. Xi Jinping has come to power suggesting that China must embrace reform and show more respect for the rule of law. Now he has the chance to demonstrate that he really means this. China claims the Mandiant report is flawed and lacks “technical proof”. That is a missed opportunity. Though it goes against every instinct of the secretive Communist Party, Mr Xi could acknowledge that cybercrime emanates from state-sponsored entities and that his government will now rein them in. If he does not, China will be taken less seriously when it decries the West’s talk of a “China threat”. And Chinese companies will continue to be treated with suspicion when they seek to buy or work with businesses abroad. China should bring its army of thieves to order.