After years of fits and starts, official conversations on cybersecurity between U.S. and Chinese representatives have sputtered to life in recent months. In September, after President Xi Jinping visited President Barack Obama Washington, both governments released identical language forswearing “cyber-enabled theft” for commercial purposes. The language was full of wiggle room, but the public joint understanding was a breakthrough—one quickly amplified when G20 leaders included identical language in their November communiqué.
The media attention surrounding a bilateral meeting on cyber crime early this month, however, revealed a contest of statements and leaks that show the complex issues of cyberspace are only beginning to be addressed. In fact, a close analysis of recent news stories, official releases, and anonymous statements to media reveals a morass of competing narratives and versions of reality. At the root of these competing views is the question of whether the U.S. government has started to get what it wants from Chinese counterparts.
One way or another, recent developments have led key U.S. figures to declare a partial victory. Evan Medeiros, a former top White House official on Asian affairs, told the Post, “the big picture is that from 2014 on, the administration pursued a much more direct and coercive approach with China, and it has produced results over time.”
John Carlin, the assistant attorney general for national security, drew a more detailed picture in a recent speech:
In May 2014, after a lengthy investigation, the department indicted five Chinese military officers by name for computer hacking, economic espionage and other offenses directed at American companies. … [T]he investigation, and the public charges it led to, have had a lasting impact. Last spring, our indictment was met with indignant denials. But a year later (and after rumors circulated that additional costs might be imposed), Chinese President Xi Jinping publicly declared, during his state visit in September, that, ‘China strongly opposes and combats the theft of commercial secrets and other kinds of hacking attacks.’ … What began with denials ended, at least for now, with a shift in international norms and a commitment from China to change its behavior.
Carlin was careful not to assert that the Chinese government had acknowledged state-sponsored commercial espionage, but he advanced the idea that his department’s efforts were part of what Medeiros calls “a more direct and coercive approach.” In reality, Carlin does not make a strong case that the military indictments led Chinese officials to change their position. In fact, the immediate result of the indictments was that the Chinese government suspended a brand new bilateral working group on cyberspace issues, and there is little evidence of diplomatic progress in the following months.
Did the indictments at least slow Chinese military hacking? Unclear. “Current and former U.S. officials” recently told the Washington Post the Chinese military has slowed commercial hacking since the indictments. But the same story notes “officials and private-sector analysts” say a Chinese intelligence agency, the Ministry of State Security, has kept at it. Based on some of the same signals, Peter Mattis outlines three plausible scenarios for the Chinese military’s changing role, cautioning against “over-interpreting or rushing to judgment about what the PLA might be doing in cyberspace.” His scenarios reveal that any observed drop in military hacking might correspond to an increase in hacking by Chinese spy agencies or to military reforms ongoing in China. In other words, even if Chinese military hackers stopped targeting U.S. businesses, more evidence would be needed to credit the U.S. indictments.
Because of this, and because Carlin’s speech can be read as a case for the continued relevance of his particular office in cybersecurity efforts, readers should consider in its bureaucratic context. Similarly, anonymous media comments suggesting that U.S. policy has worked, or that nothing has changed, should be discounted as possibly self-serving unless they provide a compelling and verifiable narrative. Claims by technical experts about the threat landscape also need to be assessed in the context of those experts’ potential bureaucratic or profit motives.
It may still be that U.S. pressure led to results. In April, almost a year after the indictments, Obama signed an executive order putting sanctions on the table in response to attacks on critical infrastructure or economic crimes that pose a “threat to the national security, foreign policy, or economic health or financial stability of the United States.” The possibility of sanctions, combined with the news beginning in the summer that hackers, possibly from China, had stolen millions of U.S. government personnel records, fed intense speculation about potential U.S. sanctions against China leading up to Xi’s September U.S. visit.
At least one plausible narrative holds that Chinese officials believed the theft of personnel records, from the Office of Personnel Management (OPM), had most directly enflamed U.S. counterparts. Just before Xi’s scheduled visit, top Chinese security official and member of the Politburo Meng Jianzhu traveled to Washington for what media accounts said were marathon meetings that seem to have contributed to a breakthrough on cyberspace issues. “U.S. officials” reportedly told the Post that “Meng seemed to think the Americans were primarily concerned about the OPM hack, rather than cyberattacks on U.S. firms,” and that he said the Chinese government was not behind the breach.
Chinese officials reportedly arrested several people after that meeting and before Xi’s visit, but anonymous sources speaking to the Post differed over time on whether those arrested were supposed to be tied to the theft of commercial secrets or to the OPM hack. Chinese media point out that hundreds of alleged hackers have been rounded up in China, and any connection to U.S. demands is questionable. That’s enough unattributed, conflicting information to suggest sources are working from partial knowledge and may have a vested interest in how the stories come out.
China’s official news agency, Xinhua, definitely has a vested interest as the standard outlet for pseudo-official readouts of Chinese diplomatic meetings. Halfway through the first meeting of the new bilateral channel on cybercrime announced by the two governments in September, Xinhua announced: “Through investigation, the [OPM] case turned out to be a criminal case rather than a state-sponsored cyber attack as the U.S. side has previously suspected.” If the Post’s account of Meng’s perspective before the September summit was correct, we can see the emergence of a Chinese official narrative—namely that the Chinese government has conducted investigations and taken action in response to U.S. concerns.
So, has the U.S. government gotten what it wants from the Chinese government? At very least, the joint declaration on commercial hacking was a significant step. But the conflicting reporting and official statements since then from both countries do not yet support a broader claim of progress, much less a strategic “win” for the United States.