Published by The Lawfare Institute
in Cooperation With
Skepticism abounded both inside and outside of government when then-President Barack Obama and Chinese President Xi Jinping included special provisions for reducing commercial cyber espionage in their far-reaching September 2015 bilateral agreement. Specifically, China and the United States agreed to curb “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Critics of the agreement naturally wondered if difficulties attributing malicious activity in cyberspace would make enforcement of paper terms impractical; less charitable observers assumed this flaw explained Beijing’s willingness to reach these terms in the first place and that President Obama had been duped.
In hindsight these concerns missed the promise of such agreements entirely. They were designed not to put an end to cyber spying but to hem in certain classes of activity for the mutual benefit of all parties. Even more notably, observers also missed the critical role that the private sector would play in providing the parties with evidence of their good-faith progress toward implementation. A FireEye study of 182 compromises of U.S. targets by 72 Chinese cyber threat groups going back to early 2013 found a steady decline leading up to the Obama-Xi Agreement, with a rapid drop-off in theft of U.S. intellectual property after that, leaving the new status-quo at near-zero levels.
In this post, I explain how the private sector’s work in demonstrating state compliance with cyber agreements can in turn encourage such compliance. In the case of the Obama-Xi Agreement, by recognizing and proving the broad trend of declining Chinese espionage, the private sector may have helped prevent ambiguous outlier incidents from dominating the public and domestic political discourse in the U.S. I then discuss necessary limits on the private sector’s role in this realm.
The Private Sector’s Role in Demonstrating a Decrease in Chinese Economic Espionage
The drop-off in Chinese of U.S. targets has persisted even in high-priority areas for Beijing, like with respect to genetic testing technologies that are an important component of China’s most recent Five-Year Plan covering development for 2016-2020. According to a separate, more recent internal study conducted by my colleagues Sarah Geary and Parnian Najafi of victims of Chinese economic cyber espionage, “before the Xi-Obama agreement, China had conducted cyber espionage against Western companies related to genetic research in the biotechnology, pharmaceutical, and agricultural industries in support of China’s goals to enhance food security and living conditions. However, after the agreement in September 2015, FireEye observed a dramatic decrease in this targeting.”
Is it possible that we missed something, or that the Chinese groups became stealthier? Absolutely. Could Chinese hackers be targeting companies that have not invested in outside security vendors, or even be stealing U.S. intellectual property from subsidiaries and partners overseas? Yes. But it is almost certainly not true that the previous level of activity, which NSA Director Keith Alexander once described as “the greatest transfer of wealth in history,” could have continued unabated and undetected by any vendor or victim.
FireEye can be reasonably confident that the experience of our customers is representative of overall objective reality because of the large number of such customers in the United States (over half the Fortune 500) and the breadth of our partnerships, with devices in more than 67 countries worldwide. Other high-tech firms involved in cybersecurity have similar global footprints. As espionage to steal corporate formulas declined in the United States, Chinese cyber operations targeting political leadership and military secrets in Asia heated up. Cyber threat group APT3, for example, has mostly focused on regional political intelligence targets since the Obama-Xi Agreement, but has a history of targeting U.S. high-technology firms including the compromise of a satellite technology company in early 2016.
So we know that operations targeting U.S. companies involved in the manufacture of defense or dual-use technologies has continued; it is understood that such thefts would fall under long-tolerated national security-related spying. More controversially, we have observed theft from private companies of personally identifying information like health records, the growing collection of business intelligence probably to aid Chinese competitors during negotiations, and the collection of intelligence related to national-level trade agreements, though still without the theft of unambiguously civilian technology.
The Obama-Xi Agreement then did not put an end to the possibility of Chinese cyber espionage targeting U.S. companies, only to the scale of such activity and its further use by Chinese companies for competitive advantage in global markets. This is cold comfort to those U.S. companies still threatened by Chinese activity, but should be encouraging to diplomats in both countries and around the world. Had the agreement been reached and complied with by both parties but the broad trend of declining activity not recognized and proven publicly, ambiguous outlier incidents could easily have been whipped up into dominating the public and domestic political discourse in the U.S.
Attribution has not proven to be the barrier many expected; a variety of major security vendors have continued to track and accurately expose Chinese threat groups. Because cyber threat groups compromise many different victims over time while reusing at least some tools, infrastructure, and personnel, patterns emerge that make big-picture attribution more plausible than the common public narrative. As a nominal example, when combined with forensic evidence there would be few reasonable explanations other than Beijing as the sponsor of operations targeting intelligence in Southeast Asian legislatures, Chinese dissidents in California, and U.S. government-controlled sensitive information.
The Private Sector’s Indirect Role in Encouraging Treaty Compliance
Far more unsettled analytic debate has been devoted to the meaning behind security compromises—sometimes the exact data taken is unknown and intent must be inferred based on the target alone—than in identifying the country responsible for paying the bills to sponsor operations. The most successful cyber agreements, formal and de facto, have sought to alter this intent. In 2015 then-Director of National Intelligence James Clapper noted in congressional testimony the distinction between aggressive cyber operations solely designed to acquire intelligence for state use, as in the case of the OPM compromise by Chinese actors, and the “nefarious” use of that information.
This focus on identifying and altering behavior has sometimes been lost in government-led technology control efforts such as the Wassenaar Arrangement, a conventional arms control agreement later adopted as a vehicle for encouraging its signatories to restrict the export of cyber weapons. Since the beginning of discussions to control software under Wassenaar, the threat environment has shifted toward greater use of modular malware by threat groups, making the functionality of the export-controlled tools even less relevant than when those discussions began. Indeed, many threat actors now use legitimate, built-in system administration tools like Windows PowerShell to carry out most of their operations.
The ambiguous nature of the code used by many threat groups has created escalation risks that even the best treaties focused on capability will not easily control. Software used to spy on an adversary’s military command might also be used to impede that headquarters from issuing commands at all, or even into issuing false commands. Malware designed to provide early warning of nuclear missile launch, if discovered by the victim, might incentivize that victim to place a greater doctrinal emphasis on first-strike or place nuclear weapons under the control of field commanders, as they lose trust in the ability of their more centralized systems to assure a second-strike response. This problem already exists today as threat actors are discovered in the networks of energy companies worldwide, with uncertainty reigning as to whether the perpetrators were committing espionage, preparing for a disabling operation as part of a military strike or political extortion, or both.
The Private Sector’s Role Is to Inform, Not Enforce
The private sector’s role in providing helpful information should not be confused or conflated with state attribution determinations. As reflected in the Obama-Xi Agreement, holding international violators to account is ultimately a geopolitical enterprise solely within the competence of governments. Signatories to conventional and WMD arms-control treaties routinely accuse one another of violating some aspect of their agreement, but without scuttling the overall framework. Industrial espionage by a generally friendly nation may also get overlooked when the same activity by an unaligned nation would lead to an indictment. The point is that a host of factors, including legal assessments, go into decisions to publicly hold nations to account for their cyber activities, and those decisions obviously lie outside the province of the private sector.
In the near-term, for nations that wish to curb cyber conflict, restrict future cyber operations, or simply build trust with one another, private sector companies worldwide play a valuable role in providing publicly verifiable information about state partners’ compliance with bilateral and multilateral agreements. This has the effect of increasing the efficacy of such agreements, which may, in turn, increase their use. Canada is the latest country to take the plunge, joining the U.S., U.K., Germany, and Russia in signing mutual restrictions on cyber activity with China.