Careful what you wish for—change and continuity in China’s cyber threat activities (part 2)
9 Apr 2018|

At a time when ‘cyber anarchy’ seems to prevail in the international system, the emergence in 2015 of US–China consensus against ‘cyber-enabled theft of intellectual property’ initially appeared to promise progress towards order. The nascent norm against commercial cyber espionage that emerged between Xi Jinping and Barack Obama was later reaffirmed by the G‑20. China subsequently recommitted to this proscription in a number of bilateral agreements, including reaching a parallel commitment with Australia in April 2017.

While frail, such a norm might be celebrated as a triumph for cyber diplomacy, yet its inherent ambiguities have also created a grey zone that makes non-compliance difficult to demonstrate. At the same time, Beijing’s pursuit of economic security means that priority targets will likely continue to face persistent intrusions from more capable threat actors.

In fact, based on the technicalities of its terms, there’s fairly limited evidence of Chinese cyber intrusions since 2015 that obviously or blatantly contravene the Xi–Obama agreement.

Arguably, US diplomacy has contributed to reshaping China’s cyber-espionage operations. However, despite the decline in activities, the results haven’t been entirely as intended. The pattern of activities undertaken by Chinese advanced persistent threat (APT) groups since the agreement reflects China’s exploitation of the leeway in its phrasing. For example, the condition that neither the US nor China will ‘knowingly’ support IP theft may have encouraged higher levels of plausible deniability in Chinese cyber espionage operations since.

Notably, in September 2017 the Department of Justice indicted ‘owners, employees and associates’ of the Guangzhou Bo Yu Information Technology Company Limited (Boyusec). Also known as APT3, Boyusec is notionally a private company, but seems to have operated as a contractor on behalf of China’s Ministry of State Security (MSS).

Despite the apparent redirection of Chinese military cyber forces to develop combat capabilities (see my previous post), MSS-linked APTs have evidently remained quite active. But those groups now seem to operate with greater operational security and sophistication, at least compared to the relative ‘noisiness’ of previous APT groups.

At the same time, because the Obama–Xi agreement emphasised that cyber espionage shouldn’t aim to provide ‘competitive advantages to companies or commercial sectors’, there isn’t a clear proscription against intrusions that target US, Australian and international companies so long as the objective can plausibly be justified by strategic and defence interests.

Even the US has, on occasion, engaged in cyber intrusions against foreign companies, including Huawei and Petrobras. Those activities might be differentiated from Chinese activities on the grounds that the intent was not to seek ‘competitive advantage’. However, the end use of exfiltrated data can be difficult to determine, and Beijing might draw on that US precedent to justify similar targeting for which the aims are ambiguous.

And because the agreement is limited to activities that advantage the commercial sector, Chinese cyber intrusions that target a foreign nation’s defence industry—or pursue IP related to dual-use technologies—could also be justified as consistent with the agreement. Unsurprisingly, APT activities against such targets have continued.

From that perspective—and with the caveat that, as the findings from the US Section 301 investigation in Chinese cyber activities note, ‘publicly available information necessarily represents only a fraction of all relevant activity’—it appears that only a limited proportion of Chinese cyber threat activities since 2015 violates the agreement clearly enough to justify their being singled out.

For instance, the Department of Justice’s indictment of Boyusec identified victims that were clearly commercial—Moody’s Analytics, Siemens AG and Trimble Inc.—and emphasised that stolen technologies such as Trimble’s new GPS systems ‘had no military applications’.

Also of note, APT10’s ‘Operation Cloud Hopper’ targeted managed IT service providers, enabling it to ‘move laterally onto the networks of potentially thousands of other victims’. That would give it access and the capability to acquire information valuable for intelligence purposes. But some of those activities also targeted industries that have been prioritised under China’s 13th Five-Year Plan or, in some cases, appeared to be designed to advantage Chinese corporate interests.

Certainly, it’s clear that Chinese cyber intrusions to steal IP have continued, even if there are fewer of them. And adherence to even the technicalities of the Obama–Xi agreement has been incomplete and imperfect at best. According to the Section 301 investigation:

The US Intelligence Community judges that Chinese state-sponsored cyber operators continue to support Beijing’s strategic development goals, including its S&T advancement, military modernization, and economic development.

This shouldn’t be surprising, given that China’s comprehensive approach to national (or rather ‘state’) security (国家安全) explicitly incorporates economic security, as highlighted in the 2015 National Security Law (国家安全法). Indeed, for the Chinese Communist Party (CCP) economic competitiveness is integral to the performance legitimacy that bolsters regime security.

Xi Jinping’s public denunciation of ‘cyber-enabled theft of intellectual property’ is significant—and, from a more optimistic perspective, could encourage a deeper reshaping of China’s behaviour in the long term. Nonetheless, so long as China remains dependent upon foreign technologies to advance its (oxymoronically) indigenous (自主) innovation, the CCP’s commitment to a range of tools to promote technology transfer is unlikely to succumb to diplomatic pressure without major changes in the incentives for Chinese leaders.

Pursuant to a new strategy for ‘innovation-driven’ development, China is, however, also seeking to advance truly ‘made in China’ innovation. In the near future, its reliance upon overseas ‘innovation resources’—accessed through licit and illicit means of tech transfer, as well as through research partnerships and collaborations—seems likely to persist. However, the ultimate objective is to enable China to emerge as a true leader in disruptive innovation in next-generation technologies, including through major increases in funding for basic research. The outright theft of IP may therefore become less important to Beijing. In the meantime, the Chinese cyber threat will persist, necessitating persistence in cyber diplomacy. Therefore, likely targets of Chinese cyber intrusions should concentrate on bolstering their defences and resilience against risks that will remain persistent, while becoming more sophisticated.