An Irrelevant Thesis

This week The Diplomat published an article by Dr Greg Austin titled What the US Gets Wrong About Chinese Cyberespionage. The subtitle teases the thesis: "Is it government policy in China to pass on commercial secrets obtained via cyberespionage to civil sector firms?" As you might expect (because it prompted me to write this post), the author's answer is "no."

The following contains the argument:

"Chinese actors may be particularly adept in certain stages of economic espionage, but it is almost certainly not Chinese government policy to allow the transfer of trade secrets collected by highly classified intelligence sources to its civil sector firms for non-military technologies on a wide-spread basis.

A U.S. influencing strategy toward China premised on the claim that this is China’s policy would appear to be ill-advised based on the evidence introduced so far by the United States in the public domain." (emphasis added)

I find it interesting that the author concedes theft by Chinese government actors, which the Chinese government refuses to acknowledge. However, the author seeks to excuse this activity out of concern for the effect it has on US-China ties.

One aspect of the relationship between China and the US worries the author most:

"There are many ways to characterize the negative impact on potential bilateral cooperation on cyberspace issues of the “lawfare” being practised by the United States to discipline China for its massive cyber intrusions into the commercial secrets of U.S. firms. One downside is in my view more important than others. This is the belief being fostered by U.S. officials among elites in the United States and in other countries that China as a nation is a “cheater” country..."

Then, in a manner similar to the way Chinese spokespeople respond to any Western accusations of wrongdoing, the author turns the often-heard "Chinese espionage as the largest transfer of wealth in history" argument against the US:

"In the absence of any Administration taxonomy of the economic impacts of cyber espionage, alleged by some to represent the largest illicit transfer of wealth in human history, one way of evaluating it is to understand that for more than three decades it has been U.S. policy, like that of its principal allies, to undertake the largest lawful transfer of wealth in human history through trade with, investment in and technology transfer to China."

(I'm not sure I understand the cited benefits the US has accrued due to this "largest lawful transfer of wealth in human history," given the hollowing out of the American manufacturing sector and the trade imbalance with China, which totaled over $82 billion in 1Q15 alone. It's possible I am not appreciating what the author means though.)

Let's accept, for argument's sake, that it is not "official" Chinese government policy for its intelligence and military forces to steal commercial data from private and non-governmental Western organizations. How does accepting that proposition improve the situation? Would China excuse the US government if a "rogue" element of the American intelligence community or military pursued a multi-decade campaign against Chinese targets?

Even if the US government accepted this "Chinese data theft by rogue government actor" theory, it would not change the American position: stop this activity, by whatever means necessary. Given the power amassed by President Xi during his anti-corruption crackdown, I would expect he would be able to achieve at least some success in limiting his so-called "rogue actors" during the 2+ years since Mandiant released the APT1 report. As Nicole Perlroth reported this month, Chinese hacking continues unabated. In fact, China has introduced new capabilities, such as the so-called Great Cannon, used to degrade GitHub and others.

Similar to the argument I made in my post What Does "Responsibility" Mean for Attribution?, "responsibility" is the key issue. Based on my experience and research, I submit that Chinese computer network exploitation of private and non-governmental Western organizations is "state-integrated" and "state-executed." Greg Austin believes the activity is, at worst, "state-rogue-conducted." Stepping down one rung on the state spectrum of responsibility ladder is far from enough to change US government policy towards China.

Note: In addition to the article in The Diplomat, the author wrote a longer paper titled  China’s Cyberespionage: The National Security Distinction and U.S. Diplomacy (pdf).

I also plan to read Dr Austin's new book, Cyber Policy in China, which looks great! Who knows, we might even be able to collaborate, given his work with the War Studies department at KCL.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics