Published by The Lawfare Institute
in Cooperation With
Since I have been a skeptic of the US-China agreement last fall on state-sponsored commercial cyber theft to benefit local firms (most recently here), I should acknowledge the new report by Fireye that concludes that China’s cyberoperations against U.S. firms have dropped significantly since 2014. (Ellen Nakashimna has a relatively non-skeptical take on the report; David Sanger’s coverage is more balanced and informative) The reports addresses two questions: (1) what is the nature of the drop-off of state-sponsored commercial theft for commercial gain?; (2) why did it drop off? Both questions have interesting answers.
The Drop in Commercial Theft. Fireye looked at the activities of 72 “suspected China-based groups” and found “an overall decline in China-based intrusion activity against private and public sector organizations since mid-2014.” It has a chart that shows “active network compromises” per month dropping from the 60-70 range in 2014 to less than 10 since the Fall of 2015. But then Fireye has a different graphic on “suspected China-based activity against corporate victims from late 2015-2016.” During this period, it reports, China-based groups compromised the networks of U.S. (and other) semi-conductor firms, at least two “high-tech” U.S. corporations, a U.S. healthcare organization, a U.S. software company, a media company (nationality unspecified), and a U.S. aerospace company. The report concludes that the threat from China “is less voluminous but more focused, calculated, and still successful in compromising corporate networks.”
The Reasons for the Drop. The report shows that most of the drop-off in China-based cybertheft occurred before the Obama-Xi agreement last Fall. It attributes the drop-off primarily to Xi’s “sweeping changes impacting its use of network operations,” especially his efforts to “centralize and emphasize military and government elements engaged in cyber activity,” and his “anti-corruption campaign cracking down on the illegitimate use of state resources.” It also gives supporting roles to increasing U.S. exposure of China’s state-sponsored commercial cyber-theft, dating back to a May 2013 Pentagon report (and similar private reports at the time), and including the U.S. indictments of five PLA officers in May 2014 and enhanced threats of U.S. sanctions during the same period. Putting all of this together, it appears that reforms of China’s cybertheft practices are grounded primarily in Xi’s efforts to centralize cyberoperations and stamp out corruption, and that U.S. exposure efforts aided Xi in these efforts. In other words, the changes are less about the U.S. imposing or threatening hefty costs on a unitary China (the costs and threatened costs have not in fact been hefty), and more about the U.S. making transparent corrupt state-sponsored activities to China’s government, and thus aiding China’s government (as embodied in Xi’s regime) in furthering its interests. This plausible mechanism of influence is consistent with what I took to be the most interesting elements of John Carlin’s remarks at Harvard last December, when he explained (around 38:40) that one reason why the indictments of the PLA officers might change China’s cyber-theft behavior is that China is a “big complicated country” and that in China (as in the U.S., he implied) “disclosure of intelligence activity caused a lot of internal changes, discussion, and debate and it may not be that everyone in the government over there knew exactly what everyone was doing or had thought about the consequences of what they were doing before it was named and exposed.”
The report thus helps us better understand how U.S. exposure of China-based cyber-theft serves Xi’s interests in clamping down on “criminal and unauthorized use of [China’s] state resources.” This is less a story of “coercion” than it is of “cooperation” between the United States government and Xi to serve Xi’s military centralization and anti-corruption efforts.* What we don’t know is how much state-sponsored commercial theft Xi is willing to tolerate (or able to eliminate), or how the government-related China-groups will morph along China’s very fuzzy public-private sector line to avoid detection from both China’s government and the U.S. government, or to operate in a way outside China’s government that Xi does not care about. Recall that last fall’s U.S.-China cyber deal, China agreed only not to “conduct or knowingly support cyber-enabled theft of intellectual property” with the intent of bringing commercial advantage.
* This mechanism is thus quite different from the three possible ones I explored last Fall to explain the U.S.-China cyber deal: (1) the deal involved little of substance and China would continue its practices, (2) China blinked in the face of threatened sanctions, or (3) the U.S. made secret concessions. The mechanism is interesting for international relations theory because it shows the value in not viewing the State as unitary, and because it shows how information generated by a rival nation (the United States) can serve a national interest (in China, defined as Xi’s interests) and effectuate cooperation even between rivals States.