This past Monday, the Department of Justice released a formal indictment against five Chinese military hackers for a number of offenses–including computer hacking and economic espionage–directed at some of the largest American companies in the US nuclear power, metals, and solar products industries. The indictment indicates that the hackers are members of Unit 61398, the Shanghai-based cyberunit of the People’s Liberation Army. China has sanctioned some of the most well-known economic cyber-spying against the United States for the past five years. In 2011, the Office of the National Counterintelligence Executive issued a thirty-one page report on foreign cyberthreats to US companies and publicly affirmed China’s large-scale theft of intellectual property.

This is the first time the United States has brought a criminal cybercrime case against government officials, and it may mark the beginning of a major shift in US policy regarding cybersecurity.  While it is unlikely that the defendants will ever be convicted, or appear in the United States at all, this indictment appears to be intended to alert foreign governments that the United States is unwilling to tolerate corporate, economic cybertheft. Harvard Law School Professor Jack Goldsmith notes that while the indictment may not slow China’s espionage efforts, it signals that the United States is “willing to raise the stakes.” Indeed, Robert Anderson, executive assistant director of the FBI’s cyber division, went so far as to say that “[t]his is the new normal. This is what you’re going to see on a recurring basis,” suggesting the possibility of more indictments against foreign cyberspies in the near future.

The United States political commitment to strengthen and enforce intellectual property protections raises a number of questions to evaluate and debate. Chief among those questions seem to be: 1) is there an appreciable difference between the cyber-spying that the United States engages in and that which it publically condemns; and 2) is the criminal justice system a useful avenue for enforcing cybersecurity against foreign governments?

 

Can’t Touch This: Intellectual Property is Different

In response to the first question, the Obama administration asserts that there is a clear distinction between cyberspying for national security versus spying for the economic advantage of individual companies. In a public speech a few days after the DOJ unsealed the charges, John Carlin, the Assistant Attorney General for National Security of the Department of Justice, claimed, “no nation…publicly states that theft of information for commercial gain is acceptable.” While the US and other nations engage in foreign intelligence collection, Carlin notes, it does so under the framework of the rule of law. Our legal framework subjects information gathering to significant oversight and expressly prevents sharing information with private companies for their private gain. These standards are in keeping with a US commitment to encourage innovation via a robust intellectual property regime.

China, on the other hand, appears to be hacking “for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States,” according to Attorney General Eric Holder. Chinese military hackers allegedly target companies such as SolarWorld by stealing their private information including pricing, marketing strategies, and trade secrets. This information is then given to Chinese competitors, who, often backed by government subsidies, then flood the market with deeply discounted solar equipment, virtually killing off any US competition.

Critics argue that this “line” is merely a rhetorical distinction without a difference. Securing business secrets, they argue, is an integral part of national security, particularly for countries looking to grow their international economic influence. Furthermore, the United States has been known to spy on, and arguably for the interests of, corporations when it believes a foreign company’s plans or intentions pose a threat.

 

Risky Business: Issuing Sanctions and Maintaining Resolve

Addressing the second question, Carlin claims that law enforcement investigations will empower other agencies to act with greater authority. The Department of Treasury, for example, will be permitted to issue sanctions that bar cyber-offenders from engaging in financial transactions with the US or deny access to the US financial system. Likewise, formal investigations may provide the State Department with additional tools to facilitate diplomacy with both offending and victimized nations.

Although the indictments are, in large measure, purely symbolic, The United States has already begun to witness a breakdown between US-China diplomatic relations. If the indictment is meant to demonstrate the United States’ commitment to deter corporate cybertheft, then the US and China may be about to engage in a diplomatic sparring match. Former Deputy Assistant Secretary for Policy in the Department of Homeland Security Paul Rosenzweig believes that the administration’s timing, coupled with its transparent disclosures, displays a strong indication that the government is ready to parry whatever political disputes lie ahead.

As the United States reclaims an active role in the international cybersecurity arena, it will begin to mold and refine important distinctions between national security and private intellectual property interests.


– Christine M. Carletta


Image Source

Comments are closed.