China’s cyber troops?
Next week will bring the first bilateral summit between President Barack Obama and the newly installed Chinese President Xi Jinping. This meeting comes with new allegations of cyber espionage undertaken by the People’s Liberation Army (PLA) against not only U.S. defense firms, but also other U.S. companies, many of which compete with state-owned enterprises in China. Current discourse on this issue was largely shaped by information security firm Mandiant’s release of a report clearly identifying the PLA as actively engaged in economic espionage. For a relatively brief period, the PLA unit exposed in the Mandiant report went silent, but no more. Thus, Chinese economic cyber espionage is again on the national agenda.
Determining an appropriate U.S. response is difficult. It is not a surprise the PLA has resumed its cyber espionage activities. The United States actively engages in cyber espionage on behalf of its national security interests in a SIGINT enterprise that involves billions of dollars and tens of thousands of technicians, scientists, linguists, managers and analysts. The key difference is that there does not appear to be a straight line between U.S. cyber-intel collection and the economic activities of U.S. corporations. We do not have any credible evidence that U.S. firms can task the big ear of the National Security Agency to steal the innovations of a Japanese, French or Indian firm. Then again, as the world’s innovation engine, we are often the ones being imitated.
One problem with Chinese espionage is that it disadvantages U.S. firms in their research and development investments. This sort of espionage has occurred for some time, and the Japanese were fairly accused of corporate espionage in the 1980s, but it wasn’t clear that the Japanese were employing national intelligence assets to do so. China is different. With China it is a numbers game. The Chinese government likely has as many as 60,000 professional hackers of varying quality in uniform and an equal or larger number it supports in academic institutions and loosely affiliated hacker gangs. These people are told to go out and find the strategic plans of energy companies, steal the design schematics of micro-electronic devices, and penetrate the communications of dissident groups felt to undermine state authority such as the Tibetans and Falun Gong.
So what should be the U.S. policy response? It has tried shaming, and that has not worked. Economic sanctions are unlikely, as upsetting the status quo of Chinese exports for U.S. debt is disturbing to both sides. Previously, in the immediate aftermath of the Chinese compromise of Google’s systems, then-Secretary of State Hillary Clinton countered with an Internet Freedom campaign, spearheaded by Alec Ross and Jared Cohen. This worked well until plausible deniability over the hacking of the Iranian nuclear enrichment program evaporated with leaks of the alleged “Olympic Games” hacking program to David Sanger at the New York Times. On that, there is need for U.S. policy to be clearer in indicating what cyber offensive tools are available in undermining state sponsors of terror, rather than those activities being cloaked entirely in secrecy and ambiguity. The U.S. may want to think about how it publicly engages with the world on its still-secret cyber doctrine.
The U.S. could try to bolster it common cyber defenses, but my own experience with both government and industry has indicated that these institutions are not as nimble as the cyber attackers, and are extremely reluctant to share useful intelligence in timely fashion or reveal being compromised. This reality has been met with calls to “hack back.” As my colleague Herb Lin of the National Academies suggested, the U.S. could hack the email accounts and social media of the Chinese elite and expose their opulent lifestyles or anti-revolutionary behaviors, but the Chinese communist elite have been racing to lower their profile recently in the wake of the Bo Xilai affair.
But what can President Obama do? Can he intimate that the U.S. will cease servicing its Chinese debt? Can he suggest that the path for oil tankers from the Persian Gulf to China may be interdicted? No, such behavior is clearly irresponsible. We must remember that cyber politics is an extremely immature space. But when I look to policy options, I am more apt to push for what we are already doing at Rice and with our other collaborators in academia, picking apart the mechanisms for state censorship in China and exposing the policing of thought and speech of the regime. While China’s economy is strong and robust, its society, particularly its intelligentsia, is restive regarding the state’s desire to curb political speech. This is the wedge, and the United States should do everything it can to enable the free flow of information in and out of China as long as the PLA continues to purloin the intellectual products of U.S. firms via cyberspace.
Christopher Bronk is the Baker Institute fellow in information technology policy. He previously served as a career diplomat with the U.S. Department of State on assignments in Mexico, overseas and Washington, D.C.