By Adam Segal

In September 2015, presidents Barack Obama and Xi Jinping stood next to each other and declared that neither the US nor the Chinese government ‘will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage’.1 Despite significant scepticism about whether China would uphold its pledge, cybersecurity companies and US officials suggested that the number of attacks did in fact decline

in the first year of the agreement. China inked similar deals with Australia, Canada, Germany and the UK, and, in November 2015, China, Brazil, Russia, the US and other members of the Group of Twenty accepted the norm against conducting cyber-enabled theft of IP.2 The agreement has been held up as evidence that a policy of public ‘naming and shaming’ tied to a threat of sanctions can change state actions, and as a success by the US and its allies in defining a norm of state behaviour in cyberspace.

There is, however, increasing evidence that Chinese hackers re-emerged in 2017 and are now violating both the letter and the spirit of the agreement. CrowdStrike, FireEye, PwC, Symantec and other companies have reported attacks on US companies, and the Trump administration has claimed that ‘Evidence indicates that China continues its policy and practice, spanning more than a decade, of using cyber intrusions to target US firms to access their sensitive commercial information and trade secrets.’3 The initial downturn in activity appears less to be the result of US pressure and more of an internal reorganisation of cyber forces in the People’s Liberation Army (PLA). Moreover, it’s increasingly clear that the number of attacks isn’t the correct metric for the Sino-US cyber relationship. A decline in the number of attacks doesn’t necessarily mean a decrease in their impact on US economic interests, as Chinese operators have significantly improved their tradecraft.

Washington and its allies will soon have to decide what they’re going to do (again) about Chinese industrial cyber espionage. The Trump administration’s approach so far has been indirect, raising China-based hacking in the context of a larger critique of Beijing’s industrial policy and failure to protect IP. Without significant pushback, China is likely to believe that it has reached a new equilibrium with Washington defined by an absolute smaller number of higher impact cyber operations.

The challenge of industrial cyber espionage

For at least a decade and a half, Chinese hackers have conducted a widespread campaign of industrial cyber espionage, targeting private sector companies in an effort to steal IP, trade secrets and other information that could help China become economically more competitive. President Xi has set the goal for China to become a ‘world leading’ science and technology power by 2049, and the country has significantly ramped-up spending on research and development, expanded enrolment in science, technology, engineering and mathematics disciplines at universities, and pushed industrial policy in areas such as semiconductors, artificial intelligence and quantum computing. However, the country also continues to rely on industrial espionage directed at high-technology and advanced manufacturing companies. Hackers have also reportedly targeted the negotiation strategies and financial information of energy, banking, law, pharmaceuticals and other companies. In 2013, the Commission on the Theft of American Intellectual Property, chaired by former Director of National Intelligence Admiral Dennis Blair and former US Ambassador to China Jon Huntsman, estimated that the theft of IP totalled US$300 billion (A$412 billion, €257 billion) annually, and that 50–80% of thefts

were by China.4

The US responded to state-sponsored Chinese cyberattacks with a two-step process. First, Washington created a distinction between legitimate espionage for political and military purposes and the cyber-enabled theft of IP. As President Obama framed it:

Every country in the world, large and small, engages in intelligence gathering. There’s a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.5

Espionage against defence industries, such as the theft of highly sensitive data related to undersea warfare, first reported in June 2018, would be considered legitimate, and the onus would be on the defender to keep hackers out of its systems.6

Second, Washington directly and increasingly publicly confronted Beijing. In the winter of 2013, the incident response firm Mandiant, now part of FireEye, put out a report tracing cyber espionage on American companies to Unit 61938 of the PLA, located in a building on the outskirts of Shanghai.7 A few days later, the Department of Homeland Security provided internet service providers with the IPs of hacking groups in China. In March 2013, at a speech at the Asia Society, National Security Advisor Tom Donilon spoke of ‘serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale’.8 When the two met at Sunnylands in June 2013, then President Obama warned President Xi that the hacking could severely damage the bilateral relationship.

In May 2014, the Federal Bureau of Investigation indicted five PLA hackers for stealing the business plans and other IP of Westinghouse Electric, United States Steel Corporation and other companies.9 In April 2015, the President signed an executive order that would allow for economic sanctions against companies or individuals that profited from the ill-gotten gains of cyber theft. The order threatened to block financial transactions routed through the US, limit access to the US market and prevent company executives from travelling through the US. The Washington Post reported in August 2015 that the administration planned to levy those sanctions against Chinese companies.10 Worried that sanctions or indictments would cast a pall over the September presidential summit, Meng Jianzhu, a member of the political bureau of the Central Committee of the Chinese Communist Party, flew to Washington to make a deal.

First year decline

In the first year, the available evidence suggested that Beijing was upholding the agreement and that the overall level of Chinese hacking had declined. FireEye released a report in June 2016 that showed the number of network compromises by the China-based hacking groups that it was tracking dropping from 60 in February 2013 to fewer than 10 by May 2016.11 However, FireEye noted that Chinese hackers could drop the total number of attacks while increasing their sophistication. Around the same time, US Assistant Attorney General John Carlin confirmed the company’s findings that attacks were fewer but more focused and calculated.

As the report also noted, the decline began before September 2015, undermining the causal link between US policy and Chinese behaviour. There were two internal factors in play. First, soon after taking office, Xi launched a massive and sustained anticorruption campaign. Many hackers were launching attacks for private gain after work, misappropriating state resources by using the infrastructure they had built during official hours. Hacking for personal profit was caught up in a broad

clampdown on illegal activities.

Second, the PLA was engaged in an internal reorganisation, consolidating forces and control over activities. Cyber operations had been spread across 3PLA and 4PLA units, and the General Staff Department Third Department had been managing at least 12 operational bureaus and three research institutes. In December 2015, China established its new Strategic Support Force, whose responsibilities include electronic warfare, cyber offence and defence, and psychological warfare. In effect, PLA cyber forces were told to concentrate on operations in support of military goals and move out of industrial espionage.

The first publicly reported cyber espionage attempts in the wake of the agreement were either against military targets or involved the theft of dual-use technologies that would fall in the grey zone. Cyber industrial espionage attacks didn’t end, but instead were transferred to units connected with the Ministry of State Security.12 While the organisation of these groups is less well understood, the ministry appears more willing than PLA groups to use contractors to maintain plausible deniability and reduce the risk of attribution.

Several US cybersecurity company analysts have described the ministry groups’ tradecraft as significantly better than that displayed by the PLA.13 Hackers have made more use of encryption and gone after cloud providers and other IT services that would provide access to numerous targets. In April 2017, for example, security researchers at PwC UK and BAE Systems claimed that China-based hackers were targeting companies through their managed IT service providers.14 The Israeli cybersecurity company Intezer Labs concluded that Chinese hackers embedded malware in the popular file-cleaning program CCleaner.15 In June 2018, Symantec attributed attacks on satellite communications and telecommunication companies in the US and Southeast Asia to a China-based group.16

Outlook

Almost three years after the agreement, judgements on its effectiveness are much harsher. While a former intelligence official argued that US efforts did succeed in getting Beijing to acknowledge a difference between the cyber-enabled theft of IP and political–military espionage, other security researchers were more sceptical. As one put it, ‘Beijing never intended to stop commercial espionage. They just intended to stop getting caught.’ Another believed that Chinese policymakers decided to get credit for a decline in activity that was inevitable in the wake of the PLA reorganisation—a move that had been long in the works.

The Trump administration has pressed Beijing on cyberespionage but as part of much bigger push on trade policy and economic security. In November 2017, the Justice Department indicted three Chinese nationals employed by Chinese cybersecurity firm Boyusec, charging them with hacking into the computer systems of Moody’s Analytics, Siemens AG, and GPS developer Trimble Inc. ‘for the purpose of commercial advantage and private financial gain’.17 US Government officials reportedly asked for Chinese Government help in stopping Boyusec’s activities, but received no reply. Despite Recorded Future and FireEye claiming a connection between Boyusec and the Ministry of State Security, the indictment didn’t call out Chinese Government support for the hackers.18

The US Trade Representative’s March 2018 investigation of China’s policies and practices related to tech transfer and IP states that the US:

has been closely monitoring China’s cyber activities since this [the September 2015] consensus was reached, and the evidence indicates that cyber intrusions into US commercial networks in line with Chinese industrial policy goals continue. Beijing’s cyber espionage against US companies persists and continues to evolve.19

A draft trade framework allegedly provided by US negotiators to their Chinese counterparts, which circulated on Twitter and Weibo in May 2018, calls on Beijing to ‘immediately cease the targeting of American technology and intellectual property through cyber operations, economic espionage, counterfeiting, and piracy’.20

The current trade war with China has two sources: US concern about the bilateral trade deficit, and opposition to Beijing’s use of industrial policy and the theft of IP to compete in high-technology areas. While President Trump has been focused on the deficit, those within the administration pressuring Beijing on its mercantilism should push the cyber issue further up the bilateral agenda. A more direct policy would include a statement from a high-level US official, perhaps Secretary of State Michael Pompeo, that the hacking has resumed and that the US is prepared to use Executive Order 13694, ‘Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities’.21 Soon after, Washington would sanction individuals involved in the hacking as well as the firms that benefit from it.

Even if the White House were to follow such a policy line, it’s likely that Beijing will continue industrial cyber espionage. James Mulvenon argues that Chinese policymakers now believe that they’ve reached a new equilibrium with the US. Shifting industrial cyber espionage to the Ministry of State Security and deploying a higher level of tradecraft have created an equivalent of the hacking conducted by the US National Security Agency. If this is the case, it means that Beijing never truly accepted the distinction that Washington promoted between ‘good’ and ‘bad’ hacking, between cyber-enabled theft to support the competitiveness of Chinese industry and political–military espionage. Instead, Chinese policymakers saw the issue in terms of a high level of relatively ‘noisy’ activity (for which they were likely to get caught and be called out on). Bringing the hacking more in line with what it believes the National Security Agency conducts—a smaller number of hacks that nevertheless give the US large-scale access to Chinese assets—has, in Beijing’s view, resolved the issue. This isn’t the resolution the US hoped for when it first announced the September 2015 agreement, but it may be the one it has to live with now.