This article appeared in The Cyber Issue in Winter 2016.
The next president should keep the pressure on China, but that requires following the Obama administration playbook.
When transition planning gets underway in earnest this fall, one of the hardest memos to write will be the outbrief from the current National Security Council (NSC) team on what to do about China’s ongoing campaign of cyber espionage targeting the intellectual property of U.S. companies. While long a focus of both the president’s cyber and China teams, there is little chance that in the coming months the issue is going to be brought to any type of resolution. Instead, the next president will inherit a partially implemented plan that has produced positive results in the short term, but its long-term sustainability remains uncertain. He or she would be wise to follow the playbook left by the Obama administration, with a redoubled focus on the investigation and prosecution of cybercrime.
Critics of the administration on this topic generally fall into two camps. One, summed up nicely by the title of a book by Peter Kiernan, is the Becoming China’s Bitch camp. In this view, the United States is so dependent on China that the Chinese can do what they want and there is little Americans can do to stop them. They hold U.S. debt, Americans can’t manufacture anything without them, Chinese students are leaps and bounds smarter than American students, and there are millions more of them studying science and math. The Chinese are strategic, looking around the corner of history and shaping it in their interests. They are playing three-dimensional chess and President Obama has been playing checkers. They put the blame on what they would characterize as Obama’s willingness to “lead from behind.” They then quote Sun Tzu, reference Unrestricted Warfare, and drop the mic.
The second view is the Coming Collapse of China camp. In this view, despite an aggressive anti-corruption campaign and a more assertive foreign policy, China is weak, wounded, and dangerous. The Communist Party made a deal with the devil, offering economic growth in exchange for loyalty to the regime. Now, the leadership can’t keep up with their end of the bargain. Growth is slowing, and at a faster pace than the official figures acknowledge. Over investment continues and economic reforms have stalled. Air and water pollution are a drag on the economy and a threat to citizen health. Paranoid about any dissent, the party has tightened restrictions on the Internet and the media and arrested feminists, civil rights activists, and lawyers. One spark could start protests that lead to widespread instability and perhaps the end of Communist Party rule.
What’s interesting is that these divergent views of China’s place in the world similarly predict there is little chance that China will cease stealing intellectual property. In the first view, China holds all the cards, and there is simply nothing the United States can do to impose costs and stop the hacking of companies. If China is desperate and dangerous, then it can’t stop stealing technology and business secrets because they are needed to fuel the economy.
What the Obama Administration has Accomplished
The Obama administration, in its handling of China in general and on cybersecurity in particular, has taken a third view. China and the United States have mutual interests in global economic prosperity and geopolitical stability. China needs to trade with the United States. China has an interest in a deal on climate change, which threatens its security much more than it does the United States. China needs to contain North Korea, a menace it is separated from by a river not an ocean. China also has interest in great-power status.
The Obama administration’s strategy has been to use these interests to nudge China to change its behavior in cyberspace without destabilizing the overall relationship. Historically, Beijing has maintained that it does not engage in any form of cyber espionage or cyber attacks, that China is the world’s biggest victim of cyber crime, that as a developing country China does not have the resources to police cyberspace, and that attribution is all but impossible in cyberspace so tracing any malicious activity back to China is unwarranted and driven by the desire to either distract from America’s own activity in cyberspace or demonize China.
The Obama administration steadily dismantled this line of argument. In the winter of 2013, the incident response firm Mandiant, now part of FireEye, put out a report tracing cyber espionage on American companies to Unit 61938 of the People’s Liberation Army (PLA), located in a building on the outskirts of Shanghai. At around the same time, the Department of Homeland Security (DHS) provided Internet service providers with the IP addresses of hacking groups in China. In March 2013, at a speech at the Asia Society, the U.S. national security advisor, Tom Donilon, spoke of the “serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.” When the two presidents met in California in June 2013, President Obama warned President Xi that the hacking could severely damage the bilateral relationship.
In May 2014, the Federal Bureau of Investigation (FBI) indicted five PLA hackers. The FBI put together a classic wanted poster, showing photos of the hackers, their names, ranks, and hacker handles which included UglyGorilla and KandyGoo. The indictment provided details of their specific activities. Beijing denounced the indictments as lies, but the administration had brought new details to attribution and the practice of naming and shaming.
The Obama administration ratcheted up pressure again in 2015. In April, the president signed an executive order that would allow for economic sanctions against companies or individuals that profited from the ill-gotten gains of cyber theft. The order threatened to block financial transactions routed through the United States, block access to the U.S. market, and prevent company executives from traveling through the United States.
That August, the Washington Post reported that the administration planned to levy these sanctions against Chinese companies in the lead up to the September 2015 presidential summit. The leak sent Chinese envoy Meng Jianzhu, a member of the political bureau of the Communist Party’s Central Committee, running to Washington to make a deal. That deal, reached after all-night negotiations at the Wardman Park Hotel, included a commitment by both sides to not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” Washington and Beijing also agreed to identify and endorse norms of behavior in cyberspace and establish two high-level working groups and a hotline between the two sides.
Critics of the deal were skeptical that China would stop doing something it had insisted it had never done in the first place. They also worried about how Beijing would interpret “knowingly support” and “commercial advantage.”
Despite these potential loopholes, the agreement contained important secondary commitments for verification and enforcement. For the first time, China agreed to investigate and prosecute cyber crimes at the request of the U.S. government and to set up a series of communication and reporting mechanisms to demonstrate compliance. As President Obama put it during the Rose Garden ceremony announcing the agreement, he did not expect President Xi to be able to stop all cyber crimes in China, but he did expect China’s help in investigating them. “What I’ve said to President Xi and what I say to the American people is the question now is, are words followed by actions. And we will be watching carefully to make an assessment as to whether progress has been made in this area.”
Has China Changed its Behavior?
In the months since the deal, assessing that progress has not been easy. After departing the United States, Xi signed similar agreements with the United Kingdom and at the G20 meeting in Turkey. An agreement with Germany is expected this year. If Xi did not intend to honor these agreements, he was foolishly building international support for actions the United States or others might take against China at some future date. There were also some reports in the United States about Chinese authorities arresting Chinese hackers, though Chinese sources never clarified whether these hackers were after targets in the United States or China.
Shortly after the agreement was announced, the cybersecurity firm CrowdStrike put out a report claiming that it had detected and stopped attacks against six of its customers and traced them back to China. CrowdStrike could not say for certain that the attackers were intent on stealing intellectual property or transferring it to commercial companies for economic gain, but the targets, mostly pharmaceutical companies, suggested no other reasonable explanation. In addition, in April 2016, National Security Agency cyber head Admiral Michael Rogers told the Senate Armed Services Committee, “we continue to see them engage in activity directed against U.S. companies. The question I think we still need to ask is, is that activity then in turn then shared with the Chinese private industry?”
A spate of ransomware attacks—malicious software that encrypts and holds a victim’s data hostage—traced back to groups that previously engaged primarily in intellectual property theft suggests that business hawking stolen secrets may be drying up. This shift suggests that the attackers can no longer make a living on stolen intellectual property and are searching for new sources of revenue. It also appears the PLA is stepping down its activity, while actors tied to the Ministry of State Security continue to break into U.S. networks.
A year later, evidence suggests that China is upholding the agreement. FireEye’s iSight Intelligence group reported a sharp decline in the number of Chinese cyber attacks. While FireEye did not conclude that Chinese cyber actors had altogether ceased their activity, it did conclude that the Chinese government had “recalculated” its use of cyber espionage, likely in order to avoid continued harm to the bilateral relationship with the United States. U.S. Assistant Attorney General John Carlin confirmed the company’s findings that attacks were less voluminous but more focused and calculated. CrowdStrike concurred with its rivals findings, though CrowdStrike’s chief technology officer, Dmitri Alperovich, attributed the slowdown in activity to a reorganization within the Chinese government. He told the Wall Street Journal that he “would not necessarily assume that this is a long-term trend.”
Alperovich’s conclusion does not fit with the evidence as presented by FireEye. The security researcher David Tait overlaid FireEye’s graph of Chinese cyber activity with just four of the policy actions taken by the Obama administration (see below). The graphic reveals immediate, though small drop-offs in Chinese activity following each new action, cascading into a large overall decline. The correlation strongly suggests that China is in fact responsive to U.S. pressure. Moreover, the Obama administration likely had its own evidence of China’s change in behavior and made decisions to threaten but not drop sanctions on that basis.
At the very least, the days of “smash and grab,” hitting many companies, extracting data, and leaving without caring about getting caught, may be gone. Chinese actors are more selective and more stealthy at a minimum. In the world of cybersecurity, getting the Chinese to care about getting caught is a victory.
What the Next President Should Do
The next administration will face the challenge of making sure there is no backsliding from Beijing and the even more difficult job of turning China into a serious partner in the investigation and prosecution of cybercrime.
To do that, the next president will need to continue to maintain pressure on China. First and foremost, the issue must remain at the top of the bilateral agenda. The next president must make it clear to China that good relations and progress on issues that matter to Beijing will require a reduction in hacking.
Second, the next administration should make keeping score of the agreement a routine and public process. Whether through Interpol or another organization, the administration should work to establish an independent third party for the processing of legal assistance requests and press the organization to publicly release reports on response rates. As it stands now, only the U.S. government is in a position to judge whether China is holding up its end of the agreement. A third-party accreditor of this process could keep the books and make the release of information on it routine rather than political.
Third, the next president must pressure private companies to step forward and protest specific cases of actual or attempted economic espionage by China. During the Obama administration, only the companies that were named in the indictment against the five PLA hackers were willing to go public. In the case of CrowdStrike’s clients, not one was willing to publicly accuse the Chinese of violating the agreement, even though CrowdStrike had prevented any harm. Likely, fear of reprisal by the Chinese through actions taken to deprive them of access to the Chinese market, kept them from coming forward. While understandable, only if the victims of cyber theft are willing to confront their attackers will the next administration have the evidence it needs to keep the pressure on the Chinese regime.
Finally, the next administration must move beyond the narrow concerns of intellectual property theft and work to change China’s behavior in cyberspace more broadly. Washington and Beijing also differ on Internet governance, and how to manage the security of supply chains and information and communication equipment. Of particular concern is China’s continued efforts to repress speech of dissidents and criticism of the regime that takes place on U.S. servers on U.S. soil. China routinely engages in distributed denial of service attacks to knock the websites of Chinese Christian groups and the Falun Gong off the Internet. When these websites are hosted in the United States, such attacks are aimed at the core of American national values. The next president should take aim at China’s behavior in this space with the same deliberate and public approach the Obama administration targeted intellectual property theft. But like his or her predecessor, Washington will face a Beijing intent on pushing its own interests.
Rob Knake is the Whitney Shepardson senior fellow at the Council on Foreign Relations. He served as director for cybersecurity policy at the U.S. National Security Council from 2011 to 2015.
Adam Segal is the Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. He is the author of Hacked World Order.
 Peter Kiernan, Becoming China’s Bitch: And Nine More Catastrophes We Must Avoid Right Now (Turner, 2012).
 Qiao Liang and Wang Xiangsui, Unrestricted Warfare: China’s Master Plan to Destroy America (Pan American Publishing Company, 2002).
 Gordon Chang, The Coming Collapse of China (Random House, 2001).
 “Overload: Critical Lessons from 15 Years of ICS Vulnerabilities” (cyber threat intelligence reports, FireEye, 2013).
 Thomas Donilon, “The United States and the Asia-Pacific in 2013” (speech, Asia Society, New York: 11 March 2013).
 Edward Wong, “U.S. Case Offers Glimpse Into China’s Hacker Army,” New York Times, 22 May 2014.
 FBI Press Release, “U.S. Charges Five Chinese Military Hackers with Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” 19 May 2014.
 White House Executive Order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” 1 April 2015.
 Ellen Nakashima, “U.S. developing sanctions against China over cyberthefts,” Washington Post, 30 August 2015.
 White House Face Sheet, “President Xi Jinping’s State Visit to the United States,” 25 September 2015.
 White House Press Release, “Remarks by President Obama and President Xi of the People's Republic of China in Joint Press Conference,” 25 September 2015.
 Dmitri Alperovitch, “The Latest on Chinese-affiliated Intrusions into Commercial Companies” (executive viewpoint, CrowdStrike, 19 October 2015).
 U.S. Senate Committee on Armed Services, United States Cyber Command, testimony by Michael Rogers, 5 April 2016.
 “Redline Drawn: China Recalculates its use of Cyber Espionage” (special report, FireEye, June 2016).
 Joe Uchill, “Obama administration confirms drop in Chinese cyber attacks,” Hill, 28 June 2016.
 Robert McMillan, “China-Based Hacking Incidents See Dip, Cybersecurity Experts Say,” Wall Street Journal, 20 June 2016.
 Pwn All The Things, Twitter post, 21 June 2016, 11:43 a.m., https://twitter.com/pwnallthethings/status/745280882076958720.