Published by The Lawfare Institute
in Cooperation With
As Presidents Trump and Xi prepare for their first meeting next month at Mar-a-Lago, most early attention has centered on tension points involving Taiwan policy, the South China Sea, North Korea and trade. But another U.S.-China issue hangs in the balance: cybersecurity. While the story has been underreported in the press, cybersecurity experts have concluded that Chinese hacking of U.S. companies decreased substantially after the Obama administration’s strong intervention with the Chinese government in 2015. That leaves open the possibility that, should tensions mount on other issues, China will loosen its restraint and again permit its military and state-owned enterprises to conduct cyber-enabled economic espionage against U.S. companies. Many billions of dollars of intellectual property (IP) would again be at risk.
It is useful to recap some of the history here. For many years, Chinese government and corporate actors—though the distinction is often blurry in China—waged a rampant hacking campaign against U.S. businesses, stealing valuable IP and trade secrets. In response, the Obama administration indicted five Chinese military officials in 2014 for their participation in this mass theft, an unprecedented move that enraged China and escalated tension in cybersecurity relations between the two countries.
In 2015, the U.S. discovered the massive breach of the Office of Personnel Management’s sensitive personnel records, and reports leaked that the Obama administration planned to impose economic sanctions on China as punishment for its continued cyber misconduct. These reports emerged in the lead-up to President Xi’s planned visit to the U.S. and China, deeply concerned that the U.S. would embarrass Xi with sanctions ahead of the visit, dispatched a senior delegation to Washington on short notice. When they arrived, their orders became clear to those of us on the U.S. side: make serious concessions in the hope of heading off sanctions.
To the surprise of many of us—and following all-night negotiations—the Chinese agreed that President Xi would stand with President Obama during their September 2015 visit and jointly commit that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
This was a landmark concession from China. Given the value of stolen IP to Chinese industry, many, including some in the U.S. administration, questioned whether China would honor the agreement. But the evidence at the close of the Obama administration was positive. FireEye, CrowdStrike and senior U.S. government officials have all confirmed that the Obama-Xi accord coincided with a significant downturn in Chinese hacking activity. This new, more stable dynamic is of incalculable value to the U.S. business community.
Will the agreement hold, though? Certainly, Chinese hackers have the technical capability to resume their operations. If China feels cornered by the Trump administration—or if it needs a leverage point—then Chinese leadership may determine that restraint is no longer warranted. In that event, U.S. companies would feel the impact almost immediately.
In order to prevent a damaging relapse, I recommend three steps for the new administration.
First, President Trump should include cybersecurity on the list of issues he raises with President Xi at Mar-a-Lago. He should stress the importance of adherence to the 2015 agreement and ensure China knows it is still important to us. In the Obama years, we gained Chinese attention by demonstrating that hacking was a top priority and warranted retaliation with strong tools like sanctions and indictments. Trump should put forward the polite but forceful message that Obama’s team repeatedly conveyed to Chinese counterparts following the September 2015 accord: adherence to the agreement is critical, and we pay attention to actions, not words.
Second, the Trump administration should continue the biannual cybersecurity dialogue with China that Presidents Obama and Xi chartered when they met in September 2015. This dialogue is chaired by the Attorney General and Secretary of Homeland Security on the U.S. side, and by the Minister of Public Security on the Chinese side. The dialogue covers a range of law enforcement and civilian network defense issues. Though the meetings tend to be somewhat scripted affairs, they play a critical role by serving as an accountability mechanism; Chinese officials know that every six months they will face two U.S. cabinet officers and have to account for their actions.
According to the schedule established during the Obama administration, the next dialogue should take place in Beijing this coming June. The Trump team should keep U.S. participation on track and at the cabinet level.
Third, the Trump administration should task the Intelligence Community to continue monitoring Chinese compliance as a collection priority. Attribution of hacking activity is notoriously difficult. And assessing hacker intent is a particular challenge, but important under the 2015 agreement, which prohibits hacking for commercial advantage, but not for traditional espionage purposes. It will take time to identify changes in Chinese behavior. Indeed, it is entirely possible that China already has resumed its misconduct, either in retaliation for the new administration’s shifts in other areas of the U.S.-China relationship or in order to create a leverage point. But the Intelligence Community and the private cybersecurity research community will, over time, accumulate data that will allow us to judge Chinese compliance during the Trump administration.
These three initial, key steps will allow the new administration to preserve the gains that were previously won. To be sure, serious problems remain between the United States and China in the cyber domain. The Chinese too often fail to offer robust cooperation in cyber crime investigations despite committing to do so as part of the Obama-Xi agreement. What is more, China’s determined push to enact new cybersecurity laws and regulations is a threat to U.S. companies’ market access there, and raises its own IP protection concerns for companies that may be required to submit their products into a vague “security review” process. The Trump administration can and should press hard to protect U.S. interests in these arenas.
Yet the fact remains that winning China’s agreement to cease and desist its hacking for IP theft was a watershed. Two superpowers agreeing to some rules of the road for a new age of digital weapons was unprecedented, and a significant victory for U.S. businesses. The new administration should take a strategic approach to preserving, capitalizing and building on that achievement.