DON'T LOSE ACCESS:
Your IP access to ForeignPolicy.com will expire on June 15.
To ensure uninterrupted reading, please contact Rachel Mines, sales director, at firstname.lastname@example.org.
Is Indicting Chinese Hackers a Smart Move or Dumb Strategy?
A conversation about responding to Chinese cyberespionage.
On Monday, May 19, U.S. Attorney General Eric Holder accused China of hacking American industrial giants such as U.S. Steel and Westinghouse Electric — an unprecedented criminal charge of cyber-espionage against Chinese military officials. Responding almost immediately, the Chinese Foreign Ministry said Beijing had canceled U.S.-China Internet working group activities and demanded that the United States rescind the charges, which the ministry said were "concocted." Will the United States succeed? Is Washington opening itself up to more criticism of its own electronic surveillance? And what are the charges likely to do to U.S.-China relations overall?
I assume China is guilty as charged — that the five accused People’s Liberation Army officers or others in their demographic committed cyber-espionage against American firms to steal technology and gain other competitive advantages. I assume there were more than five people involved.
It’s a serious problem, and China denies its existence. This makes bilateral discussion of the matter a bit one-sided. When China refuses to engage seriously on an issue, either through denial in the face of strong evidence or through unevidenced assertion of its own positions, the United States increasingly resorts to name-and-shame tactics. In the South China Sea, China’s defense of its territorial claims is pushing the United States toward ever bolder rejection of the nine-dash line.
Against this background, and under American law, the Justice Department’s indictments are justified. But they won’t be effective, and they may prove counterproductive.
No one expects China’s leaders to extradite the officers or to confess that they were following orders from the party they serve. What we should expect — and what we got from China right after Holder’s announcement — is stronger denials, tit-for-tat accusations, and suspension of the Sino-U.S. Cyber Working Group’s interactions. This response surely figured into the U.S. government’s calculations. It went ahead with the indictments, probably in order to demonstrate its commitment to protecting American businesses and for lack of a better idea.
Name-and-shame is, after all, a tactic of last resort — a throwing up of hands. It’s an understandable reaction, but it doesn’t work with China, at least in the short or medium term.
Not only will the indictments not solve the cyber-espionage problem, but naming Chinese officers as international criminals may harm the U.S.-China military-to-military relationship, which has improved lately. A top Chinese general was in Washington in mid-May at the invitation of the U.S. chairman of the Joint Chiefs of Staff, and China will, for the first time, participate in the Rim of the Pacific military exercises hosted by the United States this summer. Exchanges such as these can decrease the likelihood of accidental conflict and improve joint crisis management. It would be a blow to the relationship if China canceled military exchanges in response to the indictments.
The American case against China would be stronger if other offended nations stood beside the United States. The National Security Agency’s hacking programs make that unlikely, of course. They also make American moralizing on distinctions between espionage for security’s sake and espionage for economic advantage unconvincing to many Chinese. In China’s political and popular narrative, the humiliations China suffered at foreign hands beginning in the mid-19th century mean that the moral balance will be tilted in China’s favor for some time between the foreseeable future and forever. China is always the injured party; that is as central to China’s virtue narrative as Holder’s statement that "the success of American companies since our nation’s founding has been the result of hard work and fair play by our citizens" is to that of the United States. China’s state-owned enterprises, furthermore, play a role in China’s national security as profit centers, bearers of prestige, and channels for the introduction of technology. Their prosperity is essential to state security from the Chinese Communist Party’s point of view.
I don’t mean to imply that America is wrong about the facts in this case. I do wonder whether U.S. policy is wrongheaded. If the goal is to alleviate the problem, making China lose face (I know, I know — they did it to themselves) is not the way to go. China cares more about face than America does and will fight harder to save it. Bilateral and multilateral consultation will yield better results over an arduous, imperfect long run. The best we’ve got is unsatisfactory, but it’s still the best we’ve got.
I think it’s a terrible action taken by the U.S. Justice Department to indict five Chinese military officials for alleged cyberattacks, which the Chinese have totally denied.
First, such action has destroyed the mood for bilateral talks on cybersecurity. So it’s not a surprise that the Chinese Foreign Ministry would immediately react by canceling the Internet working group meeting. And the United States should be held responsible for damaging such a mechanism that the two governments worked hard to set up in 2013.
Second, the U.S. action could invite Chinese retaliation, such as indicting U.S. officials responsible for the widespread National Security Agency hacking into Chinese government, military, and commercial entities. And we all know that tit for tat leads to nowhere but only escalation. But I am curious to see who might be on the list.
Third, indicting five military officials seems to suggest that what has been alleged by the United States falls in the military and national security domain. And if that is true, it is something that the United States has been doing more aggressively than other nations.
Fourth and definitely most important, the United States is now known to be the largest cyberattacker in the world, after leaker Edward Snowden’s revelations. So the United States has completely lost its moral high ground to teach others what should be the norms or rules of the road in cyberspace. It should work with others. The United States only claims what it does not do, which I don’t believe. But the United States has never said what it does, given the huge capacity it has in cyberspace.
I am pretty sure that the large percentage of Snowden’s files that have not been made public will eventually serve as the best proof of how ridiculous it is for the United States to charge other nations with cyber-espionage.
This indictment may be an unprecedented and audacious step in confronting one of the emerging pressing issues of these digital times. I believe, however, that it is unfortunately a problematic one. Daly and Chen have already pointed at its effect on Sino-U.S. relations in cybergovernance and related fields. May 19’s New York Times analysis discusses the difficulty of separating the economic and security dimensions of cyber-espionage and hacking. It also quotes Mandiant founder Kevin Mandia, whose February 2013 report brought China’s cybercapacity to the top
of the agenda, as saying, "This was a logical escalation of the pressure."
Except, it was not. A logical escalation of pressure would have been a civil intellectual-property or trade-secrets suit against those Chinese companies that use allegedly stolen information. This could take place in a third locality, such as Hong Kong or Singapore. A civil conviction might have even more profound consequences: It would impact Chinese state-owned enterprises’ ability to operate lawfully in overseas markets, apply for stock exchange listings, and even settle payments in dollars. Their foreign assets might be liable to seizure, and key staff members might be limited in their travel options. In short, a civil conviction would hit them where it hurt, unlike this criminal procedure. Furthermore, a civil suit, initiated by a victim of hacking, would have the benefit of keeping some clear water between government and commerce. It would enable the U.S. government to maintain the dialogue in the cyber working group and other forums, while leveraging private initiatives to obtain agreements on more workable rules and practices. This would give greater credibility to the security-commerce juxtaposition in U.S. discourse and provide a better defense against the inevitable accusations of hypocrisy that have rapidly arisen.
To be sure, a civil suit would have had its own difficulties. Evidentiary proceedings would be a nightmare, while individual companies would suffer from first-mover disadvantage, jeopardizing access to Chinese markets, materials, and opportunities in a process equally or more beneficial to other companies. In that sense, a government-initiated suit at least provides an easier way out. But this simplicity comes at the price of soured governmental relationships and fallout in other policy areas, such as currency or the environment, against no apparent benefit.