Published by The Lawfare Institute
in Cooperation With
At first glance, the Department of Justice’s Feb 10. announcement that it indicted four Chinese People’s Liberation Army (PLA) service members in connection with the 2017 Equifax breach bears a resemblance to its 2014 indictment of five PLA officers.
Both indictments allege individuals participated in Chinese state-sponsored hacking of U.S. targets. Both allege theft of trade secrets. And both have miniscule chances of going to trial, let alone resulting in convictions. The accused in both cases are presumably in China, beyond the reach of U.S. law enforcement. In both 2014 and 2020, prosecutors would have known they had little chance of seeing the charges through, but they decided to move ahead anyway.
There is one major difference, however, between the new indictments and those from 2014. In retrospect, it is pretty clear what the U.S. government had in mind when it announced the 2014 charges. The Obama administration was in the midst of an escalating pressure campaign to force China’s leadership to deal with the economic espionage issue. The 2014 indictments detailed theft of actual trade secrets that could have been used for Chinese commercial advantage at the cost of U.S. firms. The 2014 indictments helped send a message that trade secret theft had to stop.
It is far from clear what the Justice Department or the Trump administration intends to achieve by broadcasting that Chinese military hackers were responsible for one of the biggest losses of personal information in U.S. history. The new indictment alleges economic espionage along with wire fraud and typical hacking crimes. But it makes one strange claim in order to support the economic espionage charge. It labels the “personally identifiable information” of U.S. citizens and “database schemas,” which can be understood as blueprints of how information is stored, allegedly stolen by the hackers as Equifax’s “trade secrets.” Economic espionage is usually understood to be theft for commercial gain, and it’s hard to imagine what significant commercial advantage the PLA or its hypothetical business clients could be seeking through theft of U.S. personal information and a map of how it’s stored.
These charges are also vulnerable to a critique levied at the 2014 indictments. At the time, the 2014 PLA charges drew criticism because they appeared unlikely to result in convictions and because tying law enforcement actions to foreign policy strategy risked compromising strict visions of prosecutorial independence. To what extent was the Justice Department’s 2014 investigation simply the result of following the evidence, versus being coordinated to make a foreign policy point? The 2020 PLA charges deserve particular scrutiny at a time when many observers worry about general political influence over federal law enforcement. What does the Justice Department, or the broader Trump administration, seek to accomplish with these indictments?
The 2014-2015 Campaign on Cyber-Enabled Theft
In 2014, Chinese state-sponsored hackers were named and shamed—their pictures broadcast around the world—in what turned out to be a prelude to heavier U.S. pressure tactics against a long-standing pattern of Chinese intellectual property theft. These pressure tactics included an executive order putting sanctions on the table for foreign people or entities involved in “malicious cyber-enabled activities.” Chinese officials got the message that the U.S. government might aim those sanctions at China and embarrass President Xi Jinping around his state visit to the United States. To avoid blowing up the visit, a top Chinese security official flew to Washington for a series of intense meetings that led to a negotiated 2015 pledge by Xi—made during a successful state visit—not to engage in economic espionage for a commercial edge.
It is controversial whether the joint statement led to a decrease in Chinese state-sponsored hacking. Some speculate that an observed drop in commercial hacking around that time had less to do with the pledge than with a reorganization of China’s offensive network operations and an upgrade in their ability to remain undetected. But at minimum, the Obama administration’s pressure resulted in the Chinese government recognizing the principle that there was a difference between spying for national security purposes, which both sides would surely continue, and spying to help out one’s domestic industries, which the two countries at least publicly disavowed. The norm against cyber-enabled economic espionage was endorsed by the G-20 the same year.
The head of the Justice Department’s National Security Division at the time, John Carlin, later argued the 2014 indictments that led up to the 2015 no-commercial-hacking pledge were an effective warning. In her new book “The Scientist and the Spy,” Mara Hvistendahl recounts that Carlin told an Aspen Security Forum audience the Justice Department’s indictments were “a giant ‘no trespass’ sign. … It’s, ‘Get off our lawn.’”
In 2020, Charging PLA Has No Clear Purpose
If the 2014 indictments were a “no trespass” sign, what kind of sign is the Justice Department erecting with the Equifax indictments in 2020? Although the newly unsealed charges against the PLA personnel include economic espionage, the Equifax dataset is probably more useful for traditional intelligence gathering than for commercial advantage. Chinese government hackers already have a history of stealing large databases about U.S. personnel for later use. In announcing the new charges, Attorney General William Barr listed some other instances of database heists the U.S. government has linked to China: the federal government’s Office of Personnel Management, Marriott hotels and Anthem insurance.
Combined with these databases, or even on its own, the Equifax data allegedly stolen by Chinese military hackers could be helpful in targeting vulnerable U.S. government personnel for blackmail or recruitment. It also could help Chinese intelligence to probe President Trump’s networks outside of government. In other words, it’s good stuff for traditional spying—and traditional spying very often entails breaking the laws of a target country.
But it’s hard to understand how the Equifax data would help Chinese businesses or, as Barr argued, how they could “feed China’s development of artificial intelligence [AI] tools.” Personal financial information of U.S. citizens could be of limited marketing use, but China’s consumer giants have little hope of competing in an inhospitable U.S. market. And it’s hard to imagine that Equifax, which was too incompetent to protect sensitive information or patch a publicly announced vulnerability, has much to offer Chinese data powerhouses like Tencent and Alibaba when it comes to database design.
The AI claim is especially spurious. As contributors to our DigiChina project have shown, China’s AI development ambitions face significant challenges, despite having some serious advantages. To establish strength and resilience, China’s AI sector would need an explosion of skilled workers and a more independent supply chain. Unless they specifically want to target and profile U.S. consumers, China’s AI developers are not hurting for data.
It would not be surprising if indeed Chinese military operators found an unpatched way into Equifax, a major data store on a nation of special importance to Chinese security services, and broke in. No doubt doing so would violate a number of laws and provide proper grounds for indictment. And kudos to investigators if they identified the operators responsible. Investing the resources to charge them would make good sense, if there was any real chance of getting to trial or conviction. Absent that chance, why bother preparing the indictment and bending the meaning of “trade secrets” and “economic espionage” to fit the case?
The strategic endgame of this indictment certainly does not appear to support the erstwhile U.S. position that national security spying was to be expected, while economic espionage was beyond the pale. The Trump administration has in many ways backed off of that distinction by embracing a principle that conflates the two realms: “economic security is national security.” U.S. representatives used to hear this sentiment from Chinese counterparts—at least until the Obama administration forced Xi to acknowledge a difference.
Still, by targeting what appears to be regular spy activity with tools developed to address the real problem of trade secret theft, the Justice Department may have undermined the U.S. government’s ability to defend against true instances of economic espionage. If tools custom-built to enforce fair competition are diverted to name and shame everyday spying out of an overriding motivation to call out China, who’s to say the next economic espionage charge is free of political motives?