Trolling about the interwebs, I came across this well-written Lawfare blog post by Paul Rosenzweig. The post considered this Washington Post editorial titled The U.S. needs to tame the cyber-dragon, which looked at China’s campaign of pervasive cyberexploitation and possible U.S. responses. From the WashPo op-ed:
China denies carrying out cyber-espionage, theft and disruption. But there is a growing amount of evidence that it is behind one of history’s great heists of intellectual property . . . China’s motivation in economic espionage is to steal technology that will help leapfrog generations of development; going after the military and newspapers is more like classic spying. The U.S. government spies on China, too, although U.S. intelligence agencies do not steal technology for the private sector.
All of this raises a question: How should the United States respond?
That is an interesting question, isn’t it. How should the US respond? I’m encouraged that people are actually asking the question, though I doubt any response will be forthcoming. The Post suggests “speaking firmly” with the Chinese, an idea that Mr. Rosenzweig rightly criticizes. Naming and shaming ain’t gonna work alone, as Adam Segal notes for CFR. The Post then suggests “offensive cyber-assault,” which Mr. Rosenzweig again correctly notes goes too far; in his words, we need to “find a middle ground — some kind of espionage-based response that causes equivalent pain to Chinese interests and that might get their attention.”
I agree wholeheartedly. I’ve been beating the war drums on targeting the Great Firewall of China, revealing the personal details of Chinese hackers, and creating a hackback regulatory regime for a few posts now.
And wouldn’t you know it, a timely story from Bloomberg’s Dune Lawrence & Michael Riley on how a Chinese hacker’s identity was unmasked. A hat tip to Mr. Stewart Baker and his Skating on Stilts blog for bringing this to my attention. It’s a lengthy, but wonderful article on how two researchers traced a Chinese hacker, found photographs of the hacker, and even called him. A few excerpts:
In March, [one of the researchers named Cyb3rsleuth] published what he found on his personal blog, hoping that someone—governments, the research community, or some of the many hacking victims—would act. He knows of no response so far. Still, he’s excited. He’d found the face of a ghost, he says.
. . .
About his links to hacking and the command node domains, [the hacker, Zhang] says: “I’m not sure.” About what he teaches at the university: “It’s not convenient for me to talk about that.” He denies working for the government, says he won’t answer further questions about his job, and hangs up.
. . .
Outing one person involved in the hacking teams won’t stop computer intrusions from China. Zhang’s a cog in a much larger machine and, given how large China’s operations have become, finding more Zhangs may get easier. Show enough of this evidence, Stewart figures, and eventually the Chinese government can’t deny its role. “It might take several more years of piling on reports like that to make that weight of evidence so strong that it’s laughable, and they say, ‘Oh, it was us,’ ” says Stewart. “I don’t know that they’ll stop, but I would like to make it a lot harder for them to get away with it.”
Ramp up those identification/humiliation efforts in concert with USG action on the Great Firewall of China and a regulatory regime where private companies hackback under DOJ watch (while adhering to strict guidelines on attribution, proportionality, etc.) and you’ve got a pretty effective response to Chinese cyberexploitation without exceeding the use of force threshold or turning to economic sanctions.
Yeah it’s provocative . . . but so is sitting on our thumbs and watching as a Communist government vacuums up billions of dollars in IP and our country’s economic future.
***
While I’m feeling frisky, why shouldn’t we launch offensive cyber-assaults in response to pervasive Chinese cyberexploitation? The consensus seems to be that espionage, and perhaps cyberespionage, is not illegal under international law. I get it . . . everyone spies. However, I just don’t buy that this pervasive level of cyberexploitation (as opposed to cyberespionage) is legal under international law. Vacuuming up billions of dollars of IP is not the same as spying.
I think pervasive cyberexploitation is an armed attack. Someone bombs the NYSE, it’s an armed attack. If someone uses malware to shut down the NYSE for an extended period of time, thereby causing billions of dollars of damage (but no loss of life), most people would say that’s still an armed attack. So why is stealing billions of dollars worth of IP not an armed attack? I understand this IP isn’t necessarily gone, so it’s difficult to quantify losses, but there are business shutting down.
Joel Brenner made a great point in his book America the Vulnerable: Westerners too often see war only in terms of bombs and bullets. The Chinese understand that economic war is just as potent a dimension of warfare as physical destruction. How did we win the Cold War? We outspent the Soviets. My point is that our national security is bound up with our economic strength, and right now, the Chinese are waging war on our economic strength. Foreclosure may be more effective than bombing raids in shutting down US factories.
I don’t honestly believe we should launch offensive cyberattacks rising above the use of force threshold in response to pervasive Chinese cyberexploitaiton. But as an academic exercise . . . why couldn’t we?
Leave a Reply