Since 2013, the Obama administration has publicly pressed China on one particular cybersecurity problem: the alleged theft of U.S. trade secrets by units of the Chinese government for the benefit of Chinese firms. The pressure, which administration officials said will continue at this week’s Obama-Xi summit in Beijing, has produced no significant results and has stalled dialogue on a much more dangerous aspect of cybersecurity: the quiet arms race to develop the ability to disrupt critical computer systems, potentially leading to chaos and civilian deaths.
Computer-enabled theft of intellectual property certainly violates laws and norms of fair competition, and the U.S. government and private computer security firms have released convincing evidence that units of China’s People’s Liberation Army (PLA) are behind some of the stolen secrets. This industrial-scale theft also undermines support for stable U.S.–China relations in the U.S. business community, historically an important counter to China hawks from military and human rights circles. But there is no sign the U.S. approach has stopped or significantly slowed cyber theft, and even if China’s apparent state-sponsored theft were to stop completely, there would still be freelance thieves from China and around the world. The message for U.S. companies with trade secrets is clear: Cybersecurity is a defensive game; guard your treasures.
The Obama administration’s emphasis on commercial theft has risen over the last two years. In his February 2013 State of the Union speech, Obama made a thinly veiled reference to China, saying, “We know foreign countries and companies swipe our corporate secrets.” The day before, someone had leaked part of an intelligence report naming “China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” In a major Asia policy speech in March 2013, then-National Security Advisor Thomas Donilon said that protecting “intellectual property and trade secrets” had “moved to the forefront of our agenda.”
At the “informal” Sunnylands summit in June 2013, Obama and Xi also confirmed they had discussed cybersecurity, and both governments announced the establishment of a civilian-military Cyber Working Group. So far, so good. The U.S. government was standing up for fair competition, standing against theft, and appeared to have opened a potentially useful channel with China to discuss the full range of cybersecurity issues. Shortly after Sunnylands, however, Edward Snowden was introduced to the world from a hotel room in Hong Kong. People will debate for decades how much damage Snowden caused to U.S. national security, but he unambiguously bulldozed the American high-ground when it comes to stealing secrets online.
Obama administration officials have since insisted that spying for national security purposes is fundamentally different from spying for commercial benefit, and they have claimed that the United States simply doesn’t steal trade secrets to hand them over to U.S. companies. They’re forced to make nuanced denials because, like others, U.S. trade negotiators have used information gained by intelligence services. Bush-administration lawyer Jack Goldsmith has argued that the government’s “complaints seem to amount to the claim that the Chinese are not playing by the rules that suit the USG.” From a Chinese perspective, expressed often in private but rarely in public, commercial spying can be seen as part of an effort to shore up a broader, economy-inclusive conception of national security. The U.S. assertion of a bright line between security and commercial espionage has, for various reasons, fallen flat.
In May 2014, the Obama administration, apparently dissatisfied with China’s responses on the issue, indicted five individual members of the PLA. The indictment accused the PLA members of thefts from Westinghouse, U.S. Steel, SolarWorld, and other companies, and asserted that the Justice Department has evidence that Chinese state-owned enterprises stood to benefit. Predictably, the Chinese government denied everything. It also suspended the new Cyber Working Group and made a series of possibly related moves against U.S. technology firms. It goes without saying that the five PLA members will not be extradited and will not appear in U.S. courts. The Obama administration doubled down on the commercial theft issue and, so far, has nothing to show for it.
Meanwhile, a kind of quiet arms race is under way online and in computer hardware. Longstanding trends in U.S. and Chinese military and strategic doctrine suggest that both governments are developing the capability to exploit or disable computer networks and hardware in a time of crisis or conflict. For instance, Chinese military thinkers have long emphasized the need to slow or disable a U.S. military response in case of a Taiwan contingency through hacking military systems, taking down civilian networks, or shooting down satellites. In the United States, we now know a lot more about what the National Security Agency is capable of, and the U.S. military’s Cyber Command has broad responsibilities to develop defensive and offensive capabilities in the digital realm.
Just because this online arms race is quiet doesn’t mean it isn’t dangerous. The United States and China are by no means the only states developing capabilities to disrupt military and civilian computer systems that are critical to maintaining everyday order and protecting human lives. And states aren’t the only entities capable of developing devastating cyber capabilities.
Still, the United States and China face the possibility of broader strategic rivalry as China rises and its goals and actions conflict with long-recognized U.S. interests. Both governments spend a lot of time thinking about how to deescalate potential conflicts at sea, in the air, and even in nuclear confrontations. But critical computer networks can never be 100 percent safe from disruption, and they are another potential strategic flashpoint for the United States and China. If someone — anyone — disrupts a critical U.S. or Chinese system, the two governments need ways to determine whether the other is responsible and how they should respond. They need to develop the world’s first-ever understandings regarding fundamental strategic cybersecurity questions — for instance, what constitutes an act of war? These questions can’t be answered, and strategic instability will increase, so long as U.S.–China cybersecurity dialogue is focused on the issue of trade secrets.
Developing cybersecurity norms has been a huge challenge for the many hundreds of experts worldwide who have tried. Just reaching mutually acceptable definitions for various types of cyber events can consume hundreds of hours. But like in climate change and many other areas, if the United States and China can come to a workable arrangement, it can serve as a model for the rest of the world. The U.S. government should press economic grievances through other means and focus its cybersecurity efforts on the real strategic challenge.
Graham Webster (@gwbstr) is a Senior Fellow, U.S.–China Relations at the Yale Law School China Center.