If sanctions don’t stop China’s hacking, what will?
It’s getting to the point where elected officials and cybersecurity policy experts agree the Obama administration should do something in retaliation for China’s continued cyber espionage against American companies — they just can’t agree on what.
Since China and the U.S. inked a deal in September pledging that neither country would engage in hacking for economic gain, there have been a smattering of reports that China has not lived up to the agreement. Earlier this week, Bill Evanina, the head of the National Counterintelligence and Security Center, said he’s seen “no indication” that China has curbed its state-sponsored hacking capabilities, according to a Reuters report.
Experts discussed what should come next during a forum Wednesday held by the Bipartisan Policy Center, which examined policy options from economic sanctions to indictments to arming companies with the ability to hack back.
Sen. Cory Gardner, R-Colo., who serves as the chairman of the Senate Foreign Relations’ Subcommittee on East Asia, The Pacific and International Cybersecurity Policy, said language needs to be added to the September agreement that better defines punishment if China violates its terms.
“There is no real punitive context read out of this agreement,” he said. “They need to agree to some kind of punitive action. I don’t think we can take anything off the table.”
In a report released Wednesday, the US-China Economic and Security Review Commission, a group created by Congress to measure national security implications of the economic relationship between the U.S. and China, said one of those punitive actions should be allowing companies to hack back, given that China is pushing policy that would limit U.S. companies’ participation in the Chinese market on top the country’s theft of their intellectual property.
“For these reasons we believe it is important for Congress to assess whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks,” the report reads. “In addition, Congress should study the feasibility of a foreign intelligence cyber court to hear evidence from U.S. victims of cyberattacks and decide whether the U.S. government might undertake counterintrusions on a victim’s behalf.”
Gardner said he would prefer to “tread lightly” on hack-backs, rather focusing any sort of punishment on economic sanctions on indictments, like the one issued in May against five members of China’s People’s Liberation Army.
The indictments are something closer to what former State Department official Randall Schriver thinks should be done if the U.S. is to present China with a level of deterrence that would curtail hacks.
“If what we want to do is stop this, then we have to get serious and we have to target the people that are doing it,” Schriver said. “[Hacking] is national level policy guidance through [China’s] Central Military Commission, to the General Staff Department to the PLA.”
Robert Knake, a former director of cybersecurity policy for the National Security Council, said it would be easier for the government to move past sanction threats if companies would admit they’ve been targeted by China, something he has yet to see occur.
“[Companies] fear what will happen if they stand up and say they were targets,” he said. “From their perspective, [hacking] is the cost of doing business.”
Former National Security Agency counsel Stewart Baker said sanctions might be the best route, with the added support from other G-20 countries, such as Germany, France or Britain that have also come against state-sponsored corporate espionage. Earlier this week, G-20 countries signed a pact saying no countries should conduct “theft of intellectual property, including trade secrets or other confidential business information.”
“Pick sanctions where U.S. industry isn’t vulnerable to hostage taking by the Chinese and the evidence is such that we can talk about it publicly,” Baker said. “I think the Germans, the French and the British would all get on board with that.”
The U.S. and China plan to hold ministerial-level talks in Washington, D.C., at the beginning of next month related to the September agreement. Gardner hinted that those talks could turn toward sanctions, given that China has shown no signs of curbing their hacking practices.
“I find it hard to believe in the world of digital communication that [the Chinese] haven’t heard that this isn’t appreciated and that we’ve agreed to knock this off,” he said. “We are approaching the end of the grace period.”