Cyber theft: A hard war to wage
We’ll send you a myFT Daily Digest email rounding up the latest Cyber warfare news every morning.
Washington is angry. Really angry. It is just not sure what to do about it. US officials have accused Chinese hackers of stealing corporate trade secrets since the mid-2000s but during the past few months the outrage has reached a political tipping point. cyber security has been thrust to the top of the agenda in US-China relations.
The Obama administration, members of Congress and the think-tanks that advise them have cast around for ways to punish hackers from China and elsewhere. Washington is considering a series of unilateral trade and other sanctions against Chinese entities and individuals.
“We will start sending a message to countries, especially China, that there is a consequence to your economic espionage,” says Mike Rogers, the chairman of the House intelligence committee who is preparing a bill to penalise hackers. “We should have a dial we can turn up and a dial we can turn down. That means adding some teeth.” When Barack Obama welcomes Xi Jinping for their first presidential meeting on Friday, he will press his Chinese counterpart on the issue of cyber theft.
Yet while political pressure is building for Washington to find ways to do something about the theft of trade secrets, it faces two big problems. First, it is not clear if any of the suggested remedies are workable. Moreover, given that China denies the US allegations, American attempts at retaliation risk escalating into a broader trade war between the world’s biggest economies.
John Veroneau, a former deputy US trade representative, worries that the mounting tensions over cyber theft could cause deep damage to the global trading system. “The great recession did not cause a surge in protectionism despite many predictions,” he says. “But cyber theft is changing things.”
China has pushed back vigorously against growing US complaints about hacking. “As we all know, the United States is the real ‘hacking empire’,” said a commentary last month in the People’s daily, the Chinese Communist party mouthpiece.
All governments conduct espionage on both friends and rivals, focusing on their political plans and military capabilities. But in Washington’s view, there is a crucial difference between trying to get hold of sensitive military information and the theft of trade secrets that are then handed to companies. Former and current US officials describe a Chinese enterprise that goes well beyond conventional espionage – a deliberate, co-ordinated and well-resourced strategy to steal the intellectual property of American companies that has been going on for years and is gathering pace.
Among a broader political audience, the tipping point came with the publication in March of a report in which Mandiant, a security consultancy, for the first time named a specific unit of the People’s Liberation Army in central Shanghai that it claimed was stealing US companies’ trade secrets.
Within the administration, minds have been concentrated by a new intelligence assessment that details the threat to the country’s economic competitiveness from cyber theft. Pointing a finger publicly at Beijing for the first time, Tom Donilon, White House national security adviser, complained in March of cyber attacks “emanating from China on an unprecedented scale”.
Having tried quiet diplomatic pressure, apparently to no avail, Washington is looking for other tools. “We have got to establish some form of leverage in dealing with the Chinese on this issue,” says Jon Huntsman, the former US ambassador to China who led a high-level panel called the Commission into the Theft of American Intellectual Property. “Otherwise, are we really prepared to pay the price of another 20 years of jawboning?”
One proposal is to strengthen trade laws that allow the authorities to block the import of goods that infringe patent laws. Dennis Blair, former director of national intelligence, says that the procedures need to be changed to make it faster and easier to bring such a complaint.
“We are trying to force Chinese companies to choose between access to the US market and stealing intellectual property,” he says.
Legislation introduced this month by a bipartisan group of senators including John McCain, the Republican, and Carl Levin, a Democrat, would require the intelligence services to publish a list of technologies that had been stolen, the products in which that intellectual property was used and the countries behind the spying. The administration would then be required to block imports of products derived from cyber espionage.
In its initial form the bill allows for wide powers of retaliation. The administration, for example, could block products made by “state-controlled enterprises” from countries named on the list or any products made by those companies. The US must “hold countries who engage in cyber theft accountable for their illegal activities”, says Jay Rockefeller, the Democratic senator who is one of the sponsors of the bill.
Lawyers and former officials say, however, that such an approach would be fraught with difficulties. The people who really know which imports are benefiting from cyber theft are the US companies whose technology has been stolen but have been reluctant to get involved in such investigations because many fear retribution from the Chinese authorities. Foreign companies already face a web of industrial policies in China that can be used to favour local businesses at their expense. Corporate America is collectively furious at the hacking but few companies want to stick their neck out.
There is a slew of difficult technical questions that such legislation would need to address. Would the investigations target only final products or also the broader supply chains that might have benefited from hacking? How will the US prove that the stolen technologies were introduced into the Chinese company’s research and development process? And can such actions be taken quickly enough so that the commercial damage is not already done?
Involving the intelligence services in trade disputes could put them in an uncomfortable position. Intelligence officers are trained to make nuanced judgments about capabilities and intentions, not to build legal cases. They might also be forced to reveal sources and methods. As a former National Security Agency official points out, one of the most effective ways in which the US intelligence community could collect such information is through hacking.
Moreover, China is not the only culprit. Various surveys have concluded that Chinese entities are responsible for between a half and 80 per cent of the online intrusions directed at US companies. However, according to former US officials, the list of countries conducting this sort of corporate espionage includes nations with which Washington has much closer ties, including France.
“We would need our intelligence agencies to tell us which goods have stolen IP embedded in them but that is not their expertise,” says Ken Lieberthal, former Asia director at the White House’s National Security Council.
“This would be a very hazardous approach. It will quickly lead to decisions that will be indefensible.”
Another approach being considered is visa bans for accused hackers. This is the same idea behind the Magnitsky list, which was introduced last year to penalise the Russian officials accused of being behind the death of Sergei Magnitsky, the whistleblower.
Mr Rogers is set to introduce a bill that would ban hackers from visiting the country and freeze their assets in the US.
“The visa issue should not get into a trade war because it is so targeted towards the specific perpetrators,” says Mr Rogers. “But we cannot be afraid that enforcing the law on stealing intellectual property will lead to a trade war or we are always going to be on the losing end of this”.
Mandiant’s research into PLA hackers has shown that it is possible to identify those directly involved, but denying them visas would likely have little impact given their low position in the system. Many experts on Chinese politics believe that no single institution controls the various military hacking platforms so it is hard to pinpoint the senior officers directly responsible.
Naming and shaming senior Chinese officers would also raise political concerns. They would in effect be placed on the same list of sanctioned individuals as drug-runners and terrorists – a diplomatic bombshell at the very time that the Obama administration is eager to improve relations with the PLA in order to manage the rivalry in the western Pacific.
Given the huge technical and political difficulties in taking legal action against Chinese hackers, some observers believe the most workable route is through increased diplomatic pressure. James Lewis, a former government official now at the Center for Strategic and International Studies, says that the administration should learn from the experience of the 1990s when China came under pressure to stop selling its nuclear technology.
The approach involved making sure that every American official who met a Chinese counterpart raised the issue at the top of the agenda. Other governments in Europe and Asia did the same, while some Chinese companies were also blacklisted. “If we can get the Europeans and other Asians to act together, then it might affect Chinese thinking,” he says.
Richard Bejtlich, chief security officer at Mandiant, doubts that political pressure alone will have any impact on Chinese cyber espionage, given the response to the public criticism from the US.
After Mandiant published its report, Unit 61398, the team on which it focused, went quiet for a while. However, other Chinese hacking groups that Mandiant tracks carried on as normal and Unit 61398 had also started up again.
“If the Chinese wanted to show some goodwill or if they were interested in having better relations with the US, they would have asked some of their people to stop,” says Mr Bejtlich
However, Mr Liberthal believes that presidential intervention can have an impact. The summit this week between Mr Obama and Mr Xi provides a good opportunity for the US to raise the diplomatic stakes. The meeting is an unusual one: two days on a secluded California estate, with few advisers, providing a platform for the leaders to discuss openly their priorities and expectations.
“Both men will be testing each other, so Obama should make this a test of how sincere Xi is about wanting good relations with the US,” he says. “There are lots of things China wants from the relationship in order to move forward. Obama needs to tell Xi that if we do not see the level of [hacking] activity fall, there will be consequences.”
Intellectual property: In search of the true cost of stolen ideas
It is “the greatest transfer of wealth in history”, according to General Keith Alexander, director of the National Security Agency and commander of US Cyber Command.
Putting a figure on cyber theft, however, is not so easy. Two pieces of research are most often cited: an estimate from security software group Symantec that intellectual property theft costs US companies $250bn a year and a figure from a rival group, McAfee, that cyber crime globally costs $1,000bn a year. President Barack Barack has mentioned the $1,000bn figure, while General Alexander has used the $250bn figure.
Yet both pieces of research have raised more questions than they answered. In the case of Symantec, the $250bn figure came from a footnote in a report the group published whose exact origin is hard to trace. McAfee’s $1,000bn figure was published in a press release to a report on cyber crime but was not in the actual report.
Several of the academics who helped put together the report have questioned the number. “The intellectual quality of this [$1tn] number is below abysmal,” Ross Anderson, a security engineering professor at Cambridge university, told ProPublica last year.
Some experts believe there is a large gap between the capacity of Chinese hackers to steal intellectual property and the ability of companies that eventually receive the trade secrets to make use of them. “The big question is can they reverse engineer the information, turn it into a product and then marketise,” says James Mulvenon, a vice-president of Defense Group, a Washington consultancy.
“They lack the organic history and creativity that underpinned the product,” he says. “Even if they copy the first-generation product, their second- and third-generation products will suffer. It is very shallow innovation.”
The Commission on the Theft of American Intellectual Property surveyed all the government and academic research into cyber crime, looking at the direct cost to companies from lost sales and royalties as well as the broader impact on the incentives to innovate. It concluded that the annual losses in the US were about $300bn, but added that “the exact figure is unknowable”.