At last month’s state visit by Chinese president Xi Jinping, both Xi and President Obama pledged that their governments would refrain from cyberespionage targeting intellectual property for commercial gain. While that amounted to an encouraging diplomatic advance, it’s also important to remember that Xi also denied that China has ever supported such cyberattacks. As evidence mounts that many such attacks are directly connected to units inside the Chinese military, one has to wonder how much Xi’s pledge will bind future behavior.
Moreover, the distinction between espionage for national security and espionage for private, commercial gain is a far clearer one in the United States than it is in China. The U.S. sees the theft of data and trade secrets from foreign companies on behalf of domestic competitors as beyond the realm of acceptable behavior, limiting its own espionage activities to political and military purposes. China has not accepted this premise, instead viewing state-sponsored commercial espionage as a natural path for a country still working to transition to a modern economy. Indeed, as the Chinese economy enters what appears to be a protracted slowdown—if not a permanently lower rate of growth altogether—we can expect commercial cyberattacks to increase. Gangbuster growth has long been a source of legitimacy for the Chinese government, and an increasing sense of vulnerability will only make cybertheft of intellectual property more attractive.
Not every such theft is as visible as the hacking of U.S. defense contractorsdeveloping the F-35 stealth fighter jet—and the later unveiling of Chinese J-20 and J-31 craft that bore an uncanny resemblance. Nor are the civilian versions as spectacular and attention-grabbing as Sony’s highly publicized data breach. Rather, the slow “drip” of proprietary information and intellectual property, while far less likely to cause headlines, will threaten real damage to the U.S. economy. Anyone who has visited China in recent years knows of the thriving market for bootleg DVDs. While Hollywood is admittedly in no imminent danger of collapse, in his statement to the Senate Armed Services Committee, Director of National Intelligence James Clapper pointed to the danger of an “ongoing series of low-to-moderate level cyberattacks” that will “impose cumulative costs on US economic competitiveness and national security.”
Rather than fuzzy copies of comic book movies, the widespread cyberattacks Clapper warns of are those that target proprietary intellectual property, business plans, and technologies that form the competitive foundation of many American companies. A 2014 study by CSIS and McAfee estimated the global cost of cyber crime at more than $445 billion a year, with casualties including companies like the former Canadian telecommunications giant Nortel. Stewart Baker, the Department of Homeland Security’s former Assistant Secretary for Policy, warned that these cyberthefts will accumulate into a “tax on innovation,” which could gravely erode the incentive for American companies to engage in research and development. When many such companies are already facing perverse incentives to scale back R&D and profit sharing in favor of stock buybacks, the U.S. economy can scarcely afford any more headwinds on investment in the future.
While these types of commercially-oriented attacks are increasingly originating from countries like Russia, Iran, and North Korea, many of the most notable and damaging recent intrusions have been traced back to China. So far, perpetrators of Chinese cyberattacks have been able to carry out their thefts of both military and economic secrets at virtually no cost. Even last year’s dramatic indictments by the U.S. Justice Department of Chinese individuals suspected of cybercrime have turned out to be largely symbolic. In the wake of massive cyberattacks and thefts of sensitive information—like those affecting the Office of Personnel Management—the Obama Administration prepared to levy both new indictments and, for the first time, financial sanctions in retaliation.
With President Xi Jinping’s state visit looming, however, the administration (wisely, in my view) chose to delay imposing these sanctions in hopes of building consensus toward restraining cyberattacks in the economic realm. While Xi’s aforementioned statement is a good start, this vague pledge should be taken as merely that. The road to China’s actual compliance with their pledge will be a winding one, and in the meantime US policy makers should focus on making cyberattacks costlier and their spoils less lucrative. Formal retaliation—like the financial sanctions the White House has prepared—will need to remain prominently on the table. Yet policymakers will have to recognize that such sanctions will bring with them a potentially damaging Chinese response, both politically and economically. Policymakers should not only support universal cyber security measures for private sector companies, but also pursue more creative solutions—such as helping companies “poison the well” with fake but seemingly-attractive data to throw off cyber thieves.
While the Chinese economic slowdown will indeed make cyberattacks more attractive on the demand side, it may also make China’s leadership more sensitive to pressure. As long as the U.S. exercises prudence on how quickly to ratchet it up, the time to apply that pressure is now.