Crossroads Blog | CYBER SECURITY LAW AND POLICY

Cyber Exploitation

What To Do About Chinese Cyber Espionage? CFR/Lawfare

Adam Segal, for CFR, with a vexing question: what do we do about Chinese cyber espionage?  Noting that the USG has tried (and failed) with “naming and shaming,” Segal explains how the Chinese government largely doesn’t care. In fact, the Chinese view the USG as hypocrites, “portraying itself as the ‘patron saint of the free Internet'” while moving to expand CyberComm.  In the end, Segal believes we have to find a better medium than the news media to signal our displeasure to the Chinese.  Before I forget, Segal does great work; he often translates Chinese articles, providing a new dimension to these cyberexploitation articles.  Follow him @adschina.

Unfortunately, I don’t think it’s a matter of the medium.  Would Chinese leaders really be any less evasive in direct diplomatic talks?  I’m not sure.

I think we should step things up a notch.  Over a year ago, Benjamin Wittes reviewed Joel Brenner’s America the Vulnerable (a fantastic book, by the way) for Lawfare.  The review was solid, but I was really drawn to some of Wittes’ ideas on cyberexploitation.  From an old blog post of ours:

Wittes recommends lower level retaliatory attacks on those behind cyber-espionage.  In the case of China, Wittes mentions a PLA hacker school and advocates using a mix of identity theft and/or disclosure of embarrassing personal details to retaliate against its members.  Better yet, the US could “degrade the Great Firewall of China.”  In the best line of the entire review, Wittes says that “there are people and institutions whom our criminal justice apparatus and diplomacy cannot reach . . . but that does not mean that we cannot raise the cost to individuals, states, and organizations of eroding our security.”

I just love this idea.  Cyber-espionage seems to convey a feeling of helplessness.  No matter how good our network defenses are, they’ll always be a way to get in.  Political considerations have prevented the US from directly confronting the Chinese.  And we can’t retaliate against cyber-espionage with damaging cyberattacks.  However, using these low-level retaliatory attacks, we can at least make a point.  I think going after the Great Firewall of China would be especially effective.

A year later, and I still agree with what Wittes wrote.  Lets dispense with the political niceties and public shaming and put a few holes in the Great Firewall of China.  If that doesn’t get China’s attention, poke a few more.

While I’m citing Lawfare, Jack Goldsmith posted his thoughts on the asymmetrical USG reactions to cyber exploitations and cyber attacks.   In that article, Goldsmith says that the USG may be tentative about cyberexploitation because “the United States itself engages in cyberexploitation.  . . .”  However, does the USG engage in cyberexploitation?  If we draw a divide between cyberespionage (spying) and cyberexploitation (vacuuming up IP), does the USG have hackers working 9 to 5 to suck up every last business plan and tech spec of foreign corporations?  Obviously the USG engages in cyberespionage, and although I often read we don’t do it, I would be naive to believe the USG doesn’t engage in any cyberexploitation.  Nevertheless, I doubt we engage in the level of pervasive cyberexploitation that the Chinese do.  That being the case, why the hell are we still being tentative about the greatest instance of intellectual property theft in history?  

Goldsmith himself admits that “the scale of espionage and theft via cyber will require a rethinking of international law’s ‘hands off’ attitude toward the problem – an attitude developed in a different technological universe when the scale of the national security threat from espionage was much smaller.”  To that end, I disagree when he says “the United States will not be able to clamp down on China’s cyber exploitations by others unless it is willing to consider clamping down on its own cyberexploitations.  . . .”  We spy, the Chinese spy, everyone spies, got it.  The fact that we spy shouldn’t cost us our moral high ground when addressing pervasive cyberexploitation.

Leave a Reply