Influencers: China鈥檚 arrests of hackers don鈥檛 prove commitment to stop economic espionage
A majority of Passcode鈥檚 Influencers say news that China arrested hackers accused of stealing trade secrets from American firms doesn鈥檛 prove Beijing is serious about upholding its commitment to curtail economic espionage.听
In what听听an 鈥渦nprecedented鈥 move, China arrested several hackers suspected of working for the benefit of state-operated Chinese companies, after inking an agreement with the US banning digital spying for economic gain. But 78 percent of Passcode Influencers said the move does not prove China is willing to follow through on its听promise.
鈥淐hina鈥檚 arrest of hackers represents its leadership throwing the White House a political bone 鈥 nothing more,鈥 said one Influencer, who chose to remain anonymous. 鈥淢eanwhile, the networks of American companies remain in China鈥檚 crosshairs, despite the pledge by President Xi [Jinping] to clamp down on the theft of trade secrets and intellectual property. It seems all but certain that little will curtail Chinese economic cyberespionage until the US and allied nations impose economic penalties on听China.鈥
Passcode鈥檚 Influencers Poll is a regular survey of more than 120 experts (listed below) in digital security and privacy, from across government and the private sector. To preserve the candor of their responses, Influencers have the option to comment on the record or anonymously.听
The arrests were a good faith gesture in conjunction with President Xi鈥檚 visit to Washington late last month, agreed Representative Jim Langevin (D) of Rhode Island, 鈥渁nd I certainly believe the Chinese were very serious about not wanting to embarrass their president on US听soil.鈥
However, Mr. Langevin said, 鈥渦nless there鈥檚 a sustained commitment to alter the overall trajectory of Chinese behavior in cyberspace, it鈥檚 just window dressing.鈥 For China to prove it鈥檚 serious about upholding its commitment against economic espionage, added Bob Stratton, a general partner at the Mach37 cyber accelerator, it will take more than one arrest, but instead, 鈥渁 pattern of similar enforcement actions over听time.鈥
One Influencer said China鈥檚 actions did demonstrate its commitment to fight cyberespionage in this case 鈥 but likely for the wrong reasons. The arrests of these hackers were reportedly made at the US government鈥檚 urging. 鈥淚t鈥檚 arguably embarrassing to the Chinese government that this was tracked, suggesting the PLA [People鈥檚 Liberation Army] needs to improve its methods. So, lots of motives for cracking down on hackers,鈥 said the Influencer, who chose to remain anonymous. 鈥淭he Chinese government is serious about curtailing economic cyber-espionage by certain actors, through certain means and for certain goals; but this is understandably a straightforward national interest calculation.鈥
Motives aside, some Influencers said it鈥檚 premature to speculate whether this move would hold any significance in the long run. 鈥淯ntil we have more details publicly available about the scope of the arrests, the backgrounds of the individuals, and any pending trials or sentencing of these individuals, there is still no clear indication yet that China is serious about upholding its commitment to curtail economic cyberespionage,鈥 said Amy Chang, staff director for the House Foreign Affairs subcommittee on Asia and the Pacific.听听
Still, a 22 percent minority of Influencers said the arrests could indicate willingness on China鈥檚 part to stymie cyberespionage. 鈥淓stablishing trust is a gradual process that requires many small, incremental steps,鈥 said Ely Kahn, cofounder of big data analytics firm Sqrrl, and former cybersecurity director at the White House.听鈥淭his is a first good听step.鈥
But even some Influencers who were optimistic that the government did intend to take this first step toward upholding its commitment said there could be other factors that complicate the viability of the US-China agreement. 鈥淲hile this shows the government is serious about upholding their commitment publicly, I remain concerned that they cannot control their hacker community,鈥 an Influencer said. 鈥淎nd they need to ensure their government is not complicit in stealing secrets supporting Chinese industry.鈥
What do you think?听听of the Passcode Influencers Poll.
听
Comments:
No:
鈥淭he distinction between 鈥榮trategic鈥 espionage and 鈥榚conomic鈥 espionage just doesn鈥檛 hold up in today鈥檚 world, even though governments (including the US government) like to pretend otherwise.鈥 -听Steve Weber, University of California at Berkeley
鈥淭his feels like an evolution of politics. They need to appear as if they care, but it is unlikely to curtail any meaningful amount of espionage.鈥 -听Robert Hansen, WhiteHat Security
鈥淐hina arresting cyber criminals based on US evidence is likely a gesture to avoid sanctions, without signaling an overall shift in policy in China on government-sanctioned Internet espionage. As was the case when a similar arrest was made in 2010, the real test would be in whether the case ever goes to public trial and what happens to the accused criminal if found guilty. Getting China to agree to a new set of norms will be a longer term challenge. Technology is moving so quickly, and gaining competitive advantage in the next few years will be key to establishing trends in the global economy for decades to come. The population of internet-connected users in China is already so high compared to the United States, with over 626 million versus 276 million in 2014, according to the CIA. The nations that can innovate fastest will gain increasing economic leverage worldwide, and right now is a pivotal time to establish that technological dominance.鈥 -听Katie Moussouris, HackerOne
鈥淭hey are doing the minimal amount of effort so they can claim cooperation and avoid sanctions under the recent executive order.鈥 -Influencer
鈥淚t鈥檚 far too early to tell. At the time of writing this comment, there has only been one news story on the arrest. Please see my story 鈥楧oes America want China arresting hackers?鈥 for more.鈥 -听Richard Bejtlich, FireEye
鈥淚 think it signals that they realize it鈥檚 a conversation that needs to happen but whether or not they take it seriously is a different story. It鈥檚 an economic issue to them so if we consider how cyberespionage has advanced their technology and benefitted their economy, you have to question the seriousness of the commitment.鈥 -听Mark Weatherford, The Chertoff Group
鈥淥nce again a loaded question! Yes, in certain respects, China is being serious about its commitment to fight cyber-espionage. In this case, the PLA [People鈥檚 Liberation Army] may have been engaged in activities to line their own pockets or support affiliated organizations. President Xi鈥檚 anti-corruption approach and interests synch in this case with the USG鈥檚 interests. Further, it鈥檚 arguably embarrassing to the Chinese government that this was tracked, suggesting the PLA needs to improve its methods. So, lots of motives for cracking down on hackers. Other motives include a likely genuine need for more innovation and entrepreneurship in China, something local business will not achieve in the long-run through cyber-theft. So, yes, the Chinese government is serious about curtailing economic cyber-espionage by certain actors, through certain means and for certain goals; but this is understandably a straightforward national interest calculation.鈥 -听Influencer
鈥淎rresting a lone hacker does almost nothing to change the general ethos of a country. Unfortunately, before we throw too many accusations at China, we need to look at US complicity in undermining international laws that would make hacking illegal. Until the US is willing to abide by the same international norms it is asking China to unilaterally adopt, very little will change.鈥 -听Sascha Meinrath, X-Lab
鈥溾楻ound up the usual suspects鈥 was a great line in a film, but in real life it鈥檚 just evidence of an oppressive regime鈥檚 ability to mount public relations campaigns on the backs of its people. This, like squishing with a bulldozer piles of CDs of music or computer programs, is a theatrical, made-for-media event, unrelated to cyber espionage activities.鈥 -听Nick Selby, StreetCred Software
鈥淚t鈥檚 an interesting move but without more context it may have just been a convenient opportunity regarding internal power struggles that just also happens to look appropriate with the timing.鈥 -听Influencer
鈥淲e have to wait and see whether (i) this results in an actual prosecution and substantial jail time and (ii) they prove willing to do it in future instances that do not involve a looming state visit.鈥 -听Bobby Chesney, University of Texas School of Law
鈥淲hen China shuts down their PLA [People鈥檚 Liberation Army] unit 61398 and the thousands of other Chinese government-directed CNE and CNA units, then we decide whether Beijing is being 鈥榮erious.鈥 -听Influencer
鈥淐hina鈥檚 recent arrest of hackers does not signal that Beijing is serious about upholding its commitment to curtail economic cyberespionage; but, the arrest does signal the fact that the Chinese government has compromised on a longstanding debate between the US government and the rest of the modern world around the idea that economic espionage is a separate and distinct thing from espionage conducted in the name of state security. I don鈥檛 want to be overly dramatic here, but I think this is a tectonic shift in the Chinese foreign policy approach around cyberspace. Before the agreement between President Obama and President Xi, the U.S. was the only modern country that took such a position. As always, the devil is in the details though. It matters what happens to these Chinese hackers in terms of a trial and subsequent punishment. And it matters about any kind of future Chinese hacking. It was not a good sign that CrowdStrike recently announced that it had tracked an adversary group called Deep Panda attacking American technical and pharmaceutical companies leading up to and after the agreement announced by President Obama and President Xi. That said, it is not like President Xi has a tight control over every aspect of Chinese Government activity. We know that there are at least three Chinese government organizations authorized to conduct offensive operations: the People鈥檚 Liberation Army (PLA 鈥 equivalent to the US Department of Defense), the Ministry of State Security (equivalent to the US National Security Agency) and the Ministry of Public Security (equivalent to the US Federal Bureau of Investigation). It will take some time for President Xi鈥檚 policy guidance to filter down through these distinct organizations if at all. We will have to watch closely, but this is a good start.鈥 -听Rick Howard, Palo Alto Networks
鈥淐hina is consistently on the offensive when it comes to protecting its own interests. It purposely sends mixed messages to confuse political opponents and further its interests.鈥 -听Influencer
鈥淥ne news report does not make a fact. I have yet to see the [Ellen] Nakashima story echoed elsewhere notably the New York Times (the only New York Times reference to the arrests cited the Nakashima story). A week before the Obama-Xi agreement, the New York Times asserted that the two countries were going to agree not to attack each other鈥檚 critical infrastructure 鈥 but that story was never confirmed by the Washington Post and turned out to be wrong.鈥 -听Influencer
鈥淭here is a single uncorroborated report that China has arrested people. Such reports should be regarded skeptically. For instance, the New York Times reported that the United States and China would agree to not attack each other鈥檚 critical infrastructure. It was never corroborated in any other outlet and turned out not to be true.鈥 -听Influencer
听
YES:
鈥淭he arrests are a first step, a signal of good faith. However, it remains to be seen whether the arrests will be followed up with prosecutions and continuing cooperation in the effort to deter what has become rampant cyberespionage for the benefit of industry.鈥 -听Melanie Teplinsky, American University Washington College of Law
鈥淚t is no longer in China鈥檚 economic interest to support (actively or passively) cyber-espionage at large scale. The issue for the G-10 is the increase in destructive attacks coming out of the Middle East and Africa. I would expect to see more activities of this kind as China tries to partner with the U.S. and Russia to manage the adversary.鈥 -听Influencer
鈥淚 can say 鈥榊es鈥 but only in the very narrow sense that the steps evidently taken are necessary. BUT NOT SUFFICIENT. It remains to be seen. See comments by Catherine Lotrionte. It is entirely conditional on whether the Chinese path leads to the rule of law or to show trials.鈥 -听Dan Geer, In-Q-Tel
鈥淐hina has had its own problems with hackers for many years. Additionally, it has significantly advanced its own technological growth, so the government can afford to make promises that it has every intention of keeping. On the other hand, it still engages in multiple forms of technology transfer that have nothing to do with hacking, it has a population of hackers that act independently from the government, and it has an unknown number of foreign hackers operating out of Chinese IP space - so it may look like China is responsible when a different foreign government is instead.鈥 -听Jeffrey Carr, Taia Global
鈥淭his is the only first step in addressing China鈥檚 hacking concerns.鈥 -听Influencer
鈥淚 said yes, but this is something it鈥檚 hard to be yes-or-no about. If Beijing is arresting criminals (say credit card thieves) while letting the state-sponsored spies continue, then it is a very small good.鈥 -听Jon Callas, Silent Circle
鈥淲hile this shows the government is serious about upholding their commitment publicly, I remain concerned that they cannot control their hacker community. And they need to ensure their government is not complicit in stealing secrets supporting Chinese industry.鈥 -听Influencer
鈥淵es, but... We鈥檒l see if the Chinese follow through from arrest to prosecution of the individuals that the US identified, and if they can convict them on the basis of the information that we can provide. Stay tuned to see if the Chinese try to reciprocate and identify US persons they would like to bring to justice. That would be an interesting development.鈥 -Influencer
What do you think?听听of the Passcode Influencers Poll.
听
