The U.S. Hoped Indicting 5 Chinese Hackers Would Deter Beijing’s Cyberwarriors. It Hasn’t Worked.
A year and a half after their indictment, will the members of PLA Unit 61398 ever see the inside of a federal courtroom?
On May 19, 2014, Attorney General Eric Holder walked up to a podium at the Justice Department and accused a group of five hackers with names like UglyGorilla and KandyGoo of carrying out a high-tech campaign of electronic burglary against prominent American businesses like U.S. Steel and Westinghouse Electric. Despite their teenage monikers, the 48-page indictment said the perpetrators were soldiers from Unit 61398 of the People’s Liberation Army, a premier crew of cyberwarriors within the Chinese military.
Going after the Chinese officers, Holder said, “makes clear that state actors who engage in economic espionage, even over the Internet from faraway offices in Shanghai, will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.” For good measure, the Justice Department even distributed wanted posters with pictures of the hackers in their Chinese military uniforms.
But nearly a year and a half after that indictment was unveiled, the five PLA soldiers named in the indictment are no closer to seeing the inside of a federal courtroom, and China’s campaign of economic espionage against U.S. firms continues. With Chinese President Xi Jinping set to arrive in Washington for a high-profile summit with President Barack Obama later this month, the question of how — and, indeed, if — the United States can deter China from pilfering American corporate secrets remains very much open. The indictment of the PLA hackers now stands out as a watershed moment in the escalating campaign by the U.S. government to deter China from its aggressive actions in cyberspace — both as an example of the creative ways in which the United States is trying to fight back and the limits of its ability to actually influence Chinese behavior.
Since the indictment was announced, cybersecurity experts say China has altered some of the methods used by its hackers but that its campaign against U.S. firms remains active. “We’ve seen tactical change but strategic continuity,” said Jen Weedon, a manager for threat intelligence at FireEye, a leading cybersecurity firm. She added that Chinese hackers have changed some of the malware and infrastructure they used for attacks but were continuing to target U.S. firms. Government agencies like the Pentagon, meanwhile, say that Chinese hackers attempt to infiltrate their systems hundreds of thousands of times per day.
And China’s army of hackers has notched some significant victories, none bigger than the 2014 hack of databases belonging to the Office of Personnel Management, which allowed Beijing’s agents to make off with highly sensitive documents used in background checks for security clearances. The hackers stole the personal information of up to 21.5 million federal employees; on Tuesday, OPM said it had awarded Identity Theft Guard Solutions, which does business under the name ID Experts, a $130 million contract to shield victims of the hack from fraud and identity theft. OPM Director Beth Cobert said the hack, which Washington officials privately attribute to China, was “one of the largest cybercrimes ever carried out against the U.S. government.”
China has denied allegations that it breached OPM’s servers, and has in the past rebuffed American complaints about its hacking activity by denying responsibility for specific incidents and pointing out that the United States also carries out electronic espionage.
With no evidence that China is scaling back its activities in cyberspace, Washington stands on the verge of escalating pressure on Beijing to rein in its hacker army. In April, Obama signed an executive order granting him the authority to apply the formidable sanctions power of the United States to block individuals and entities responsible for carrying out cyberattacks against U.S. targets. American officials say no final decisions have been reached about the timing or composition of those potential sanctions.
“As the president said when signing the executive order enabling the use of economic sanctions against malicious cyberactors, the administration is pursuing a comprehensive strategy to confront such actors,” Mark Stroh, a spokesman at the National Security Council, said in a statement Wednesday. “That strategy includes diplomatic engagement, trade policy tools, law enforcement mechanisms, and imposing sanctions on individuals or entities that engage in certain significant, malicious cyber-enabled activities.”
It’s far from clear if any of those measures will be enough to deter China, which is thought to have some of the most sophisticated hackers in the world — and which uses cyber-espionage to aid both its companies and its military.
Take the indictment of the PLA officers, Washington’s most concrete attempt yet to deter Chinese hacking. On the one hand, the indictment deeply embarrassed Beijing. “I thought it was tremendously effective, in that it irritated the heck out of the Chinese, and my impression was that there was never any intention to bring these people to trial,” said Jim Lewis, a widely consulted cybersecurity expert at the Center for Strategic and International Studies. On the other hand, there’s little evidence it concretely altered Chinese behavior, and that has led to what Lewis describes as “a lot of dissatisfaction [with] the failure of our deterrence strategy.”
By sanctioning companies who receive stolen intellectual property, U.S. officials hope to add some teeth to that deterrence strategy. Robert Knake, a former director for cybersecurity policy at the National Security Council, said that sanctions targeting companies that have received American trade secrets may dissuade other Chinese firms from accepting such material. Because a large part of the global financial system runs through American banks, U.S. sanctions can have the effect of freezing out a firm from large parts of that system. “It’s essentially a company showing up and saying, ‘I don’t want this. I’d just rather run it on the straight and narrow,’” Knake said.
If the indictment is any indication, U.S. sanctions may also target those who pilfer trade secrets. Knake said American sanctions could go after Chinese cybersecurity firms who do legitimate business while also dabbling in illicit activities to bolster their bottom line.
By that same measure, it’s unclear if the United States could convince China to abandon economic espionage. With the Chinese economy posting lower growth figures and its leaders encouraging the country’s companies to develop more value-added exports, there’s pressure on business leaders there to innovate. Economic espionage is a convenient way to lower research and development costs. U.S. officials frequently describe the attempt to deter Chinese hacking — whether by sanction or indictment — as an attempt to “raise costs” for such behavior, but what is the threshold at which Beijing no longer considers hacking worthwhile?
The five men indicted in the Western District Court of Pennsylvania will all but certainly never pay the price for their actions, even as the U.S. government insists it is working steadfastly to bring them to trial. “The five members of the People’s Liberation Army charged in the May 2014 indictment are wanted by the United States, and we fully intend to see them face charges,” Marc Raimondi, a Justice Department spokesman, said in a statement. “While I won’t discuss specific steps we may be taking to bring them to justice, I will remind you that we have a long and successful history of patience and persistence in pursuing wanted individuals.”
In hindsight, the indictment seems less like an exercise in law enforcement than a diplomatic signal to China. That’s an argument the prosecutor behind the case, U.S. Attorney David Hickton, resents. “I believe that’s absolute nonsense,” Hickton told Foreign Policy. “It was not the intention, when we brought this indictment, to at the same time say, ‘We do not intend to bring these people to justice.’”
But it’s unclear exactly what has happened to the five men since Hickton brought charges against them. Their unit suspended some operations in the aftermath of the indictment, but experts like Weedon say the group is still active. “The group is not operating in the same way it was before,” she said. “It seems to have taken new shape.”
Hickton, whose office has made the prosecution of cybersecurity cases a priority, says he considers the law enforcement effort against hackers to be a long-term one and likens it to indictments issued in Florida against South American drug kingpins during the height of the drug war. Then, as now, skeptics wondered what was the point of bringing cases against individuals who seemed all but certainly beyond the reach of U.S. law enforcement. Today, Hickton points out, U.S. prisons are filled with drug traffickers. Left unsaid, of course, is that drugs continue to flow across the border.
Top image: U.S. Department of Justice