National security and economic intelligence gathering in cyberspace is an industry that is getting more professional, Jon Lindsay writes.
At the G-20 Summit in Antalya, Turkey, leaders of the world’s major economies released a landmark communiqué rejecting economic espionage in cyberspace: “we affirm that no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” This wording echoes a bilateral agreement reached between United States President Barack Obama and Chinese President Xi Jinping in Washington DC in September.
For the first time, governments have voiced a consensus for restricting a form of espionage, although, importantly, not all espionage. National security intelligence collection, by cyber or other means, is not included in this statement, nor does it restrict cyber attacks against critical infrastructure, such as the US-Israeli Stuxnet operation against Iran. There is also a large grey area regarding intelligence collection against private firms to support national security and economic policy short of directly aiding commercial firms, for example, to support the defence industry or trade negotiations.
Unfortunately, the agreement is largely symbolic because it is unenforceable. Espionage, after all, depends on deception. Evidence of compliance with an agreement provides a convenient cover for even more sophisticated deception. Even if the compliance is in earnest, other actors are likely to suspect deception nonetheless, especially when a state has a history of extensive espionage and major investments in illicit foreign technology transfer. G-20 countries including France, Japan, South Korea, and Russia have all engaged in economic espionage in the past, but few have run campaigns as extensive and persistent as China does today.
China made a show of good faith prior to the September summit, according to the Washington Post, by “quietly arrest[ing] a handful of hackers at the urging of the US government…identified by US officials as having stolen commercial secrets from US firms to be sold or passed along to Chinese state-run companies.”
Yet ritualistic round-ups of scapegoats are not unusual in Chinese politics, especially in the context of Xi Jinping’s anti-corruption drive. Recently, the Ministry of Public Security rounded up 15,000 people accused of providing “illegal and harmful information” online and other crimes. These sporadic operations both reinforce domestic information control and attempt to send a message that hacking is the result of criminal elements rather than state policy.
China has an elaborate system for covert intelligence collection, coordinated in part through the so-called 863 Plan for high-tech development. Numerous private cybersecurity firms have linked sophisticated corporate network intrusions to Chinese actors, including Unit 61398 of the Chinese People’s Liberation Army based in Shanghai and identified publicly by Mandiant in early 2013.
Collecting foreign secrets is only a small part of a more extensive process the Chinese describe as “Introduce, Digest, Absorb, and Reinnovate,” and the Chinese have invested considerable resources in the infrastructure to implement it.
The Washington Post later clarified that the hackers arrested in September were actually responsible for hacking the US Office of Personnel Management (OPM), which compromised security background investigations on millions of current and former federal employees.
This move is puzzling because it seems unnecessary. In June US Director of National Intelligence James Clapper named China as the top suspect for the OPM hack, adding “You have to kind of salute the Chinese for what they did.” The September agreement would not have excluded OPM as a Chinese cyber target, and US intelligence can be expected to pursue similar targets in China. The OPM data is extremely valuable for national security purposes, i.e., enabling Chinese intelligence to identify Americans with security clearances and potential vulnerability to blackmail, but not for economic ends. Even if freelance hackers did indeed hack OPM, Chinese intelligence would be their most obvious customer.
US pressure on China had been building since the May 2014 US indictment of five PLA members for economic espionage (notably ignoring the national security collection activities by the same group).
According to the Washington Post, in the months following the indictment, “the Chinese military quietly began dismantling its economic espionage apparatus…[and] cracked down on moonlighters within the PLA [People’s Liberation Army] who were hacking on the side to sell information to companies, and they attempted to halt collection of data that was not central to the national security mission.”
Once again the message seems to be that economic espionage is just the work of a few rogue elements, not state policy. This is hard to take seriously given the wealth of evidence from Western intelligence agencies and private firms about bureaucratically regular intrusions linked to the PLA.
At the same time, the Chinese Ministry of State Security (MSS) — China’s premier foreign intelligence service and home of its most competent cyber operators — has continued to conduct operations against economic targets since the September meeting. MSS, incidentally, would be the actor most interested in and able to make use of the OPM data. MSS operations are characteristically more sophisticated and harder to detect than People’s Liberation Army operations, which by contrast are repeatedly compromised by lax tradecraft. (It is notable that the world leader in cyber exploitation, the US National Security Agency, was compromised by insider Snowden rather than tradecraft mistakes, although it makes those too.) Rather than “dismantling” it is more likely that the PLA is reforming to meet MSS standards of excellence and improve its discipline against targets of all types.
The real effect of the G-20 norm against economic espionage and the Chinese theatrics surrounding the American summit will be a reduction in amateurish collection that is easy to detect, and incentives to improve intelligence tradecraft that is harder to prevent. Chinese technological development is too invested in economic espionage to simply cease and desist. The real lesson of the agreement is to avoid getting caught.