Skip to main content

Cybersecurity Strategy Advice for the Trump Administration: US-China Relations

May 8, 2017

Author:

Yuxi Wei

Feature Series

Cybersecurity and the Trump Administration Series

Regional Recommendations for U.S. Cybersecurity Policy in the World

Central Challenge

Cybersecurity is of vital importance to US-China relations, particularly in relation to national information security and the business market. While it is a new realm for trust and cooperation between China and the US, it has already led to a high level of tension.

Recommendations

  1. The US should encourage tech companies to continue scrutinizing cyber intrusions, but also the US government should keep engaging with China on cyber-espionage.
  2. The US should work to restore the trust of Chinese government and Chinese market in the aftermath of Snowden’s revelations.
  3. In light of the new Chinese cybersecurity law, the US should maintain its rhetoric of Internet freedom and continue to protest any Chinese move that signals possible protectionism against foreign tech firms.
  4. The US should consider implementing various measures to press the Chinese government to not discriminate foreign tech companies and uphold a free-trade environment.

In recent years, cyber-espionage has become a pivotal issue in US-China cybersecurity relations. Cyber-espionage related tension is not necessarily due to political and military espionage, which the US has considered legitimate and normal activity between governments. Instead, the tension is due to government-backed economic espionage meant to aid Chinese state-owned firms.

In September 2015, President Obama stated his concern over economic espionage explicitly in a business roundtable talk saying that, “We understand traditional intelligence-gathering functions that all states, including us, engage in… [t]hat it fundamentally different from your government or its proxies engaging directly in industrial espionage and stealing trade secrets, stealing propriety information from companies.” He also indicated that economic espionage is considered “an act of aggression.” Further, in March National Security Advisor Tom Donilon singled out China in his remarks to the President stating “such activities from any country” cannot be tolerated by the international community.

Since the first report of Chinese hackers breaching US federal government systems in the early 2000s — the so-called “Titan Rain” attack — there have been an increasing number of reported cases of Chinese intrusion into government agencies and private industry. According to a study by Jon R. Lindsay and Tai Ming Cheung, there were 37 reported Chinese hacking incidents before 2014, of which only nine targeted government agencies — the rest of the targets were either commercial entities or were mixed in their targets.[1] Another study by P.W. Singer and Allan Friedman also found that 96% of recorded, state-affiliated cyber-espionage attacks on private businesses and intellectual property in 2012 can be traced back to China.[2] Some of the notable targets include Dupont, Lockheed Martin, Superconductor, Chesapeake Energy, British Gas, Google, and Coca Cola.

Despite the Chinese government’s constant denial of involvement in the attacks, a 2013 report by American cybersecurity firm Mandiant revealed that the People’s Liberation Army (PLA) Unit 61398 was behind most of the industrial espionage activities that strain US-China bilateral relations. The tension between the US and China on cyber-espionage was further heightened in 2014, when the Justice Department alleged that five Chinese military officers hacked US companies. The victims included Westinghouse, SolarWorld, U.S. Steel, ATI Technologies, and Alcoa — all of which are major US industrial and energy firms. However, this accusation drew an angry response from the Chinese Foreign Ministry and its spokesman stated that the allegations were “based on fabricated facts.” He stated that in response to the accusations China would suspend its participation in a US-China working group on cybersecurity, which was set up in 2013 to smooth the relationship and build trust.

China’s cyber-espionage remained a contentious issue for much of 2015, as the US accused China of attacking the Office of Personal Management’s databases and stealing information about more than 20 million people. Although the case seemed to fall into the domain of political espionage, the vast scope and ambition caused the Obama administration to consider economic sanctions as a punitive measure.

Nonetheless, in 2015 there was also great breakthrough in US-China relations in cyberspace. During Chinese President Xi’s visit to the U.S in September 2015, the US and China still managed to reach an agreement that “neither government will conduct or knowingly support cyber-enabled theft of intellectual property.” Meanwhile, both sides also agreed to initiate “a high-level joint dialogue mechanism on fighting cybercrime and related issues.” The first US-China High-Level Joint Dialogue on Cybercrime and Related Issues took place in December with significant outcomes, such as the establishment of hotline mechanism to avoid escalation of issues and a plan for a tabletop exercise in spring 2016.

Since the 2015 cyber agreement, US-China cybersecurity relations seem to have taken a promising turn. According to a report released by FireEye in June 2016, the active network compromises by suspected Chinese groups has dropped significantly from nearly 40 cases per month to less than ten after the US-China agreement. The New York Times reported again on Unit 61398, which it had originally argued was responsible for most of China’s economic espionage cases in cyberspace, stating that the unit “appears to be largely out of business, its hackers dispersed to other military, private and intelligence units.” While there were still attacks seen from China’s side on the semiconductor and aerospace industries, the reduced number does point out that the rapprochement is a good first step.

Chinese New Cyber Law and US Companies

While the cyber agreement between China and the US eased tensions and seemed to turn their bilateral relationship towards cooperation, the new Chinese Cyber Law could complicate this positive arc. The new Chinese Cyber Law was approved in November 2016 and has significant implications for US technology companies in China.

The stated purpose of the law is said to stop cyberattacks and prevent cyber-terrorism; however, foreign observers find several parts of the law problematic. For instance, the law’s Article 24 asks all companies to verify users’ real identity when providing “information dissemination and instant messaging services.” This article may further erode the country’s Internet freedom. The most controversial rules in the law are Article 28, 37 and 38, which require Internet operators to provide technical support for the government’s security and crime investigation, asks those in “critical information infrastructure” to store all personal information and “important data” collected in-country in China, and requires companies to undergo security reviews by government agencies annually.

Although the law will not be in effect until June 2017 and how the government will implement the law is still unclear, it has received criticism from foreign business groups. James Zimmerman, chairman of the US Chamber of Commerce, has called the law “a step backwards for innovation” without much security benefit. Foreign firms’ major concerns are that under requirement for “technical support,” they may be forced to hand over source code and other proprietary information. In the law, “critical” areas required to give up information are defined by the government to include telecommunication, energy, transportation, information services, e-government, and finance. Furthermore, the rules are suspected to be motivated by protectionist sentiment worsening the investment environment in China.

The anxiety of foreign companies, especially the US firms that have significant market share in China, is not ungrounded. The discussion of the law has been on-going since the first draft came out in July 2015 and some of the regulations were mentioned in other cybersecurity-related laws and implemented against foreign companies even earlier.

Since Edward Snowden’s revelation in 2013 about National Security Agency’s surveillance on US tech products for espionage purposes, China has tightened its control over the tech market to ensure the technology products supplied to government agencies and vital infrastructure sectors are from more reliable sources – meaning Chinese domestic companies. By the end of 2013, IBM, HP, Microsoft and Cisco had all experienced a decline in sales in China and executives indicated that despite the slowing Chinese economy, Chinese actors had begun to favor indigenous products. Cisco executives were explicit that Chinese customers may be cutting purchasing of US products in response to Snowden’s revelations. Qualcomm CEO pointed out that it was a pressure shared by all US tech companies.

In response to the revealed NSA surveillance, the November 2014 initial draft of the Chinese Counterterrorism Law for the first time mentioned the requirement that all telecommunication operators and Internet service providers to report cryptography, to provide technical support for terrorism cases, and to store all relevant equipment and locally collected user data in China. Also, the new regulations adopted in January 2015 required the financial institutions to use “secure and controlled” equipment — and will eventually require all tech companies that sell to Chinese banks to disclose source code to Chinese government.

Both regulations caused the US government and foreign companies to protest, and as a result, when the law was formally passed in December 2015, the draft language on cryptography and data localization was removed, and the new policy on banking-sector was also suspended in April 2015. However, the new cybersecurity law still articulates the requirement for data localization, and the new draft on insurance IT regulations issued in October 2015 is similar to that on banking.

At the same time, the repercussions of the Snowden case continue to occur for US tech companies. China Daily, a news agency owned by Chinese State Council Information Office, described Google and Apple as “cyber security threats to Chinese users.” The same article also noted Yahoo, Cisco, Microsoft and Facebook’s transfer of users’ information to NSA. In May 2014, the government procurement center announced a ban on Microsoft Windows 8 for government computers and, in July 2014, the Apple iPhone was called “a national security concern” by Chinese state broadcaster China Central Television.

Chinese government’s  suspicion of US companies did not remain verbal, but led to a series inspections. By the end of 2014, Microsoft and Qualcom had faced antitrust investigations and Google had seen all of its products blocked. In January 2015, Apple revealed the fact that the Chinese government had requested it undergo China’s cybersecurity review. Apple agreed and became the first US company to participate in the review.

Later in February 2015, Qualcom was fined with $975 million by Chinese antitrust regulators as the result of investigation. The most recent case of China’s security interrogations on foreign firms is Apple’s involvement in Chinese cybersecurity review in May 2016 following Apple’s compliance with Chinese government demand for its source code. Consequently, in face of China’s increasingly stiff cybersecurity regulations, US companies feel coerced to conduct businesses through Chinese business partners in order to maintain access to China.

Recommendation 1

While China’s economic espionage behavior has declined significantly since the US-China cybersecurity agreement, China’s cyber intrusions into US firms have continued. FireEye’s 2016 report points out the decrease in numbers of cyber compromises conducted by suspected Chinese groups, but it also suggests the hackers installed “back doors” to enable future spying.

However, the picture of current Chinese intrusions is unclear. As Laure Galante, the director of threat intelligence at FireEye, pointed out, security firms do not necessarily track attacks in real time for a variety of reasons. As FireEye CEO Kevin Mandia indicated, how well the companies keep logs may have impact on the investigation of malicious activities. Therefore, the data is not necessarily representative of what is actually happening. The uncertainty leads to the possibility that the report which came out in June may not accurately present the number of Chinese cyber breaches on US firms in 2016.

Meanwhile, Chinese hackers have increased their skill, allowing more specific, concentrated, and higher-grade of hacking on strategic targets. According to an intelligence report disseminated in September 2016, China’s biggest cyber spying operation has been carried out since at least since October 2015 and involves the theft of 1.65 terabytes of proprietary data from a major US software company. In light of these activities, good agreements are necessary.

The Russia-China cybersecurity agreement illustrates that such pacts are only the beginning of good relations. Although China signed a non-aggression cyber agreement with Russia in 2015, Kaspersky Lab, a cybersecurity company based in Russia noted in August 2016 that Chinese actors were hacking into Russian industries including defense, nuclear, and aviation. These hacks increased from 194 in the first two quarters of 2016 compared to 72 in the whole of 2015. Therefore, the cybersecurity agreement between China and the US is merely a starting point, and issue of economic espionage should be constantly brought up to Chinese high level officials in the bilateral cyber dialogues for pressure.

The US should encourage tech companies to continue scrutinizing cyber intrusions and pay close attention to those originated from China. At the same time, the US government should keep engaging with China on cyber-espionage, and continue to hold bilateral talks at the senior level.

Recommendation 2

Snowden’s revelations of NSA surveillance has damaged the vulnerable trust between China and the United States. Since then, the Chinese government has adopted stricter cyber regulations and continuously placed foreign businesses under security review. As US-China relations have many possible domains of conflicts, the business ties between the Chinese market and US firms should be a stabilizing element. Therefore, it is necessary to restore the Chinese-US relationship both on the government level and on the market level. On the government level, it is necessary to pursue the rapprochement strategies mentioned in the agreement, such as having more frequent high level talks.

At the same time, US tech companies have criticized the US government for demanding access to encrypted communication. In 2015, Apple, Google, Facebook and other major tech firms were reported to have signed a letter to the Obama administration to oppose lowering encryption standards and creating “back door” for government agencies. In 2016, Apple also took stand against the FBI on the matter of technological back door, which was echoed by Google, Microsoft and Facebook’s joint statement that objected to the idea of putting “back doors” into products for law enforcement agencies.

While the government needs to take measures to ensure national and civilian security, such open letters send a signal to foreign governments, including China, about the innocence of US companies in surveillance and their genuine intent of doing business abroad. Thus, on the business level, the public denunciation of US government by these major tech firms may decrease the suspicions and reestablish trust, and should be encouraged.

The US should restore the trust of the Chinese government and the Chinese market in the aftermath of Snowden’s revelations in 2013. More frequent high level talks on cyber-policy should be held to build mutual trust and prevent unexpected events from causing hostility. Meanwhile, the US government should welcome and encourage denunciations from tech firms as a sign of the firms’ separation from US government policy.

Recommendation 3

The 2011 International Strategy for Cyber Space released by President Obama declares that the US has national interest in constructing a “interoperable, secure and reliable cyberspace,” and acknowledges the US commitment to freedom of expression, privacy and free flow of information. The report also recognizes these policy priorities to be the basis of sustaining of a free-trade environment and protection of intellectual property. Internet censorship in China has long drawn criticisms for its abuses of freedom of speech and freedom of access to information.

However, China’s recent discriminatory moves against foreign firms and request for data localization creates new problems as the requests jeopardize the free-trade environment. Therefore, the US needs to reaffirm its stance and continue to protest China’s violation of the concept of Internet freedom. This work should be done together with US business groups and with other governments that hold same values as the US.

Meanwhile, the US needs to make clear to the Chinese government that undermining free-trade and free flow of information will cause more harm to China than any theoretical security gains under the new law. US businesses have already written a letter asking the Chinese government to reconsider elements of the cybersecurity law that would create discriminatory cybersecurity policy, isolate Chinese companies, and worsen cybersecurity issues.

The U.S. should maintain its rhetoric of internet freedom, which is undermined by the new Chinese cyber law, and continue to protest any Chinese move that signals possible protectionism against foreign tech firms. It is necessary to emphasize the importance of a free market environment and the flow of information.

Recommendation 4

Apart from rhetorical protests, the US should prepare for imposing economic sanctions upon China and bringing the issue to the WTO. These measures have been effective in dealing with China in some of cases. For example, prior to President Xi’s visit to the US for cybersecurity talks in September 2015, the Obama administration was developing a package of unprecedented economic sanctions against Chinese companies and individuals that had benefitted from the government backed economic espionage. The sanctions attempt underlines the US government’s severe frustration over Chinese espionage activities.

Although there is no direct evidence that the intent to impose sanctions led to the agreement, the timing of the two events makes it is reasonable to believe that the threat of sanctions provided positive results and facilitated the agreement. In another case, China suspended its banking regulations in the IT sector in April 2015. Since the approval of regulations in January, US business groups and the US government had expressed their oppositions by directly writing letters to Chinese cybersecurity officials. The US’s vocalization of the criticism that the banking rules violated China’s trade obligations and communications send to the WTO questioning the Chinese bank rules succeeded in finally pressuring China to halt the regulations. Therefore, given the declining of Chinese economy, the Chinese government will be more cautious at making cybersecurity decisions when facing potential economic consequences.

The U.S. should consider implementing various measures to press the Chinese government to not discriminate foreign tech companies and uphold a free-trade environment. Such measures include bringing the case to a multilateral organization for judgement and imposing economic sanctions. Despite the interdependency of US and Chinese economies, showing gestures of imposing the sanctions on targeted Chinese individuals and companies has proven effective in the past. However, economic sanctions could lead to retaliation and should only be a last resort.

Endnotes

[1] Jon R. Lindsay and Tai Ming Cheung, From Exploitation to Innovation: Acquisition, Absorption and Application” table 3.1.

[2] P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (New York: Oxford University Press, 2014): 95.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.