‘Enough is enough’: United States v Chinese hackers
21 May 2014|

FBI wanted enlarged

Earlier this week, the US Department of Justice indicted five People’s Liberation Army officials for hacking into the computers of US companies to steal trade secrets. The indictment alleges that the PLA Five stole information that would be useful to the companies’ competitors in China, including state-owned enterprises (SOEs). This is a significant development, as the US is directly accusing China of stealing information and using it to undermine the competitiveness of US companies. The charges signal that the US sees the theft of intellectual property as a national security threat and is resolved to hold those responsible to account. It also reaffirms a distinction the US makes between spying for profit, which is wrong, and spying for political purposes, which is acceptable.  Ultimately, the indictment is aimed at influencing China’s behaviour in cyberspace. It’s unlikely to prove effective.

The fifty-six page indictment (PDF) is backed by substantial evidence and describes the methods and motives behind the hacks. In the case of nuclear power plant manufacturer Westinghouse, the company was negotiating in 2010 to build four power plants in China when conspirator Sun Kailiang stole design specifications for pipes, pipe supports, and pipe routing. That information would enable a Chinese competitor looking to build a similar plant to save on research and development costs. In a global market that injures Westinghouse’s competitiveness and, consequentially, weakens the US economy.

The economic cost of cyber attacks to the US has been estimated to range up to a hundred billion dollars, and the US needs to find ways to stem the steady theft of information. ‘Our economic security and our ability to compete fairly in the global marketplace are directly linked to our national security’ said US Attorney General Eric Holder. His call for an ‘aggressive response’ has been echoed by other testimonies. ‘Cyber theft impacts real people, in real and painful ways. The lifeblood of any organization is the people who work, and sweat for it’, said the chief prosecutor in Western Pennsylvania, David Hickton. In short, the US is saying ‘enough is enough’.

China is also calling enough—enough of US hypocrisy. The US action has already prompted retribution from Beijing. ‘The Chinese military have never engaged in cyber theft of trade secrets’, and the indictment is ‘ungrounded and absurd’ said Foreign Ministry spokesman Qin Gang. In response to the charges, China has summoned the US ambassador for ‘solemn representation’, and suspended activities of the China-US cyber working group. China has also been quick to censure the US about its own cyber-espionage activities, with one article on Xinhua yesterday accusing the US of hosting a range of cyber attacks.

In announcing the indictment, the US has further complicated tense US-China cyber relations and risked the reputations of major US companies like Alcoa and US Steel by exposing attacks publicly. But there are advantages for the US in doing so, as it shows resolve in an attempt to influence China’s behaviour in cyberspace. The underlying message from the US is twofold.

The first message is that the US has elevated state-sponsored economic espionage from a diplomatic talking point to an actual crime. True, the prospect of the accused being brought to trial is next to nil. But the US hopes to signal to China that by conducting systemic illegal attacks, it takes an increased risk—that is no longer deniable—and that the US can, and will, hold China responsible.

The second message is about doing business with Chinese SOEs such as Chinalco and Baosteel. Clear links between Chinese military intelligence and state-owned enterprise are established in the indictment. Companies that are in negotiations with SOEs may find cause for a pause in their relationships. Chinese companies are likely to find themselves under greater pressure to limit government ties that undermine their international credibility. In turn, business pressure may cause China to limit the scope of its cyberespionage activities if those are seen as threatening commercial opportunities.

Whether, and to what degree, the indictment is able to influence China’s behaviour remains to be seen. But the move signals a determination on the part of the US to step out of the bilateral cybersecurity stasis. Evidence in the report shows straight-faced deniability is no longer the smoke screen it once was. The indictment will give China pause for reflection. It may, ultimately, limit its attacks. Alternatively, China may become more advanced in its methods, or more selective in its targets. Or it might simply ignore the US clamour altogether. China has much to gain from continuing its attacks—indictment or not, spying for profit in China has its own national security rationale.

Simon Hansen is an intern in ASPI’s International Cyber Policy Centre. Image courtesy of the FBI