The U.S.-China summit has concluded and the announced results provided little good news on the cyber front, at least for us. Beijing certainly got what it wanted: no executive order sanctions against its officials and companies for benefitting from its planetary-scale cyber espionage campaign. The Obama Administration apparently got what it wanted as well: a Chinese statement that state-sponsored or abetted industrial espionage is illegitimate. But now we are already hearing early reports from cyber security firms of strong evidence that the Chinese government hacking of U.S. firms has continued even after President Xi’s promises.
Pressure for real progress on U.S.-China cyber relations has been building for months, if not years. Chinese military strategists have been writing since the mid-1990s about how computer network attacks could be the key factor in deterring or degrading an American military response to a Taiwan scenario. The first decade of their intrusions against U.S. government and military networks was intelligence preparation of that battlefield.
In the mid-2000s, China’s cyber espionage capability was redirected against the heart of the U.S. innovation economy, targeting commercial firms and exfiltrating billions of dollars of intellectual property and data for the benefit of Chinese companies.
The Chinese government has even been complicit in computer network attacks, beginning in 1999 with hacks against servers belonging to dissident groups in the United States and culminating with the “Great Cannon” attack against the servers of a popular open source software community in early 2015.
Finally, recent revelations of suspected Chinese intrusions against major health care providers and the Office of Personnel Management’s highly sensitive clearance databases gave American officials a very personal incentive to confront Beijing’s seemingly unconstrained behavior.
When presented with overwhelming evidence of official complicity, such as when respected cyber intelligence firm Mandiant exposed Unit 61398 as a Chinese military hacking organization, Beijing borrowed from Kafka and denied that the unit even existed. The Chinese government made promises about progress on cyber issues prior to and during Obama and Xi’s summit at Sunnylands in 2013, but those commitments evaporated after the meetings ended.
On the eve of Xi’s current state visit, two American companies, DGI and ThreatConnect, published an even more compelling report directly attributing a Chinese military unit as the source of hacking against Southeast Asian countries, and oil and gas companies. Yet in his White House speech, President Xi denied that China had ever engaged in hacking of any sort, commercial or otherwise. He insisted that China was instead the victim of hacking, implicitly invoking the spectre of Edward Snowden to bolster his claim.
The United States is currently in a deep deterrence hole with respect to China in the cyber domain, having refused to respond or retaliate in a comprehensive way to more than two decades of intrusions and attacks. Reestablishing credibility and stability in the bilateral cyber relationship will require a series of consistent policies and actions, not just bullet points on a post-summit fact sheet.
It seemed easy for the Chinese side to agree to never “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” and to negotiate a joint mechanism for addressing accusations of commercial cyber espionage. But past Chinese obfuscation and intransigence leads us to believe that the working groups and ministerial dialogues will simply be venues for the Chinese to continue the mantra about their massive commercial cyber espionage effort: admit nothing, deny everything, and make vigorous counter-accusations.
While testing Beijing's new-found "opposition" to state-sponsored industrial espionage, the Administration should press forward using existing tools as well as push for necessary legislative changes, with the goal of changing Beijing’s cost-benefit calculus for both commercial cyber espionage and computer network attack. The White House’s own executive order on cyber sanctions, announced in April, should be aggressively employed to raise the costs for state-owned enterprises that directly benefit from Chinese government hacking. The Administration needs to work with Congress to provide companies with broad immunity from prosecution when they collaborate with the U.S. government or with each other.
And we need to take the gloves off on "active defense" and begin to establish indemnified rules of engagement for the private sector by revising the 1986 Computer Fraud and Abuse Act, with clear, brightline thresholds of what companies are allowed to do to defend themselves from cyber espionage.
Taken together, these changes will signal to Beijing that the United States is serious about responding to the staggering scale of its cyber theft, and begin to create a new, manageable equilibrium in bilateral cyber relations between the two sides.
Michael Hayden is Chairman of the board for Delta Risk LLC, a global provider of cyber security and risk management services. He also serves as a principal at The Chertoff Group, a security and risk management advisory firm, and is on the board of The Cipher Brief. Previously, Hayden was director of the National Security Agency from 1995 to 2005 and the Central Intelligence Agency from 2006 to 2009.
James Mulvenon is Senior Vice-President of Defense Group Inc’s Intelligence Division and Director of its Center for Intelligence Research and Analysis.