Recent news that the US is considering targeted sanctions against China for economic cyber espionage is unsurprising. However, any sanctions imposed are unlikely to discourage future Chinese cyber espionage, but instead will only serve to burn precious US diplomatic capital in Beijing.
The White House announced in April this year that it would impose sanctions on individuals and corporations who gain a financial or commercial advantage from stolen information, or are involved in cyber espionage that affects critical infrastructure, disrupts major computer networks, or steals intellectual property.. It now appears that the US is preparing to implement sanctions in accordance with the Executive Order. Calls for a response to cyber espionage have become increasingly shrill in Washington DC, particularly from some of the candidates in the large field of presidential hopefuls that have taken a firm anti-China stance. Some suggestions, including proposals to take down China’s Great Firewall, make sanctions the more moderate solution.
Imposing sanctions isn’t an unprecedented move. The US imposed sanctions on North Korea for the Sony hack, and any sanctions of Chinese firms would be just the next step in a long-running US effort to counter Chinese cyber spies. The US has been pursuing Chinese hackers for several years, and has responded in a variety of ways including public denouncements, diplomatic demarches, and symbolically indicting Chinese military personnel. In addition, the release by private cybersecurity companies of detailed information on PLA cyber espionage units has added to the war of words between the two nations on cyber espionage.
The impetus to impose sanctions appears to be driven by frustration that despite previous efforts to ‘name and shame’ China for economic espionage, there’s been little respite. While the breach at the Office of Personnel Management may have encouraged further thinking on the issue, it’s unlikely that any sanctions would be in direct response to this incident. The US has previously made clear that it sees a difference between cyber espionage for commercial ends and such activities for national security intelligence collection purposes, as in the case of the OPM breach.
While not unprecedented, imposing targeted economic sanctions is a bold step, and will likely sate some of the hunger of those demanding a reaction. But it’s likely to cause more harm to the US–China relationship than to stop or slow Chinese cyber espionage. Beyond the usual statements about irresponsible behaviour and its own victimisation, China is likely to respond practically—in contrast to North Korea, the Chinese have the ability to impose costs on the US. US Treasury and Commerce Department officials have reportedly alerted the White House to the many counter-sanctions that China could implement in retaliation. In addition, Chinese president Xi Jinping’s visit to Washington DC this month makes the timing difficult for the Obama administration. Announcing sanctions before the visit risks a high-profile cancellation; doing so after will undermine any gains made during the leader’s dialogue.
The US intends to impose a cost on China for its cyber activity to dissuade them from further theft of US trade secrets, but those who benefit from cyber espionage know that the cost–benefit calculation is still in their favour. They receive the results of their competitor’s research and development at low cost, or use the information to undermine their competitors in other ways for their own financial gain. Attempting to stop cyber espionage by punishing a select few is unlikely to convince the larger whole that the cost–benefit calculation has changed. It will, however, make it more difficult for the US and China to deal with other issues that threaten global stability—such as the South China Sea.
So how should the US respond? Raising the cost is an obvious answer, but sanctions probably aren’t the solution. A more effective approach is to make commercial and propriety information, as well as Government data, more secure. An insurance company wouldn’t pay out if your house was robbed because you built it without doors, and neither should the US threaten a critical global relationship for the sake of those who haven’t properly secured their data. Other suggestions include supplying false information or ‘poisoning the well’. While tried and tested, this requires significant levels of coordination, and ignores the issue that many hacking victims haven’t taken adequate cybersecurity precautions. The US and China have already begun a discussion about norms of behaviour in cyberspace, and more careful application of national power to the problem of cybersecurity would enable this process to achieve a better and sustainable solution than actions that threaten to undermine the bilateral relationship.