Monday, June 23, 2014

The flawed US indictment of Chinese hackers





But in standing up to — and even taking action against — Beijing’s military and economic cyber sabotage, the US needs to present the world with a more precise and clearly delineated defence of why it undertook this action.

As Ariel Rabkin recently pointed out, part of the problem relates to the ‘dangerous’ precedent that the US is setting by holding that ‘uniformed military personnel can be indicted by foreign powers for activity conducted lawfully in their home country’. Given the sweeping activities of the NSA, ‘any hostile government, or impish prosecutor’ will be able to indict US security officials under this doctrine. Nor is there any ‘clear theory or doctrine of just how far national jurisdiction can be pushed’.

The 31-count indictment alleges that, among other offenses, members of Unit 61398 of the People’s Liberation Army conspired to commit computer fraud, accessed computers without authorisation, damaged computers through transmission of malware code and commands, committed economic espionage and stole trade secrets. The indictment identifies as victims five US-based companies — Westinghouse, Alcoa, Alleghany Technologies, US Steel, Solar World — and one labour union, the United Steel Workers.

What is striking about the indictment is that though conservative estimates of Chinese cybertheft of US intellectual property run to US$100 billion and beyond, the technologies named in the indictment, while not insignificant, are not at the cutting edge of US technology advantage. With respect to Westinghouse, the indictment cites theft of certain pipe designs and specs. Yet most of the stolen documents relate to negotiations for future business deals and Westinghouse’s future strategy for dealing with China’s State Nuclear Power Technology Corporation — certainly important documents, but largely unrelated to IP.

The same paucity of evidence of IP and technology theft characterises the indictments related to the other four companies. This has led Jeffrey Carr, a security analyst, to conclude: ‘The problem of IP theft by nation states is ongoing and relentless. If this is the best that the Department of Justice can do, things will get much, much worse for US companies’.

But the real gravamen of the administration’s case was the attempt to draw a clear line between two forms of economic espionage: stealing IP or trade/business secrets by government or even private hackers and passing that information on to individual domestic corporations, and stealing economic information for either non-economic reasons or to advance economic goals not specific to a particular corporation.

Much of the cyber theft detail set forth in the Pittsburgh indictment relates to trade disputes and cases that three of the companies (US Steel, Solar World, and Alleghany Technology) and the steelworkers union were involved with against Chinese companies. Though labelled ‘trade secrets’, the material basically related to strategies and pricing data to be used to further actions against Chinese companies.

The problem here is that such espionage activities are clearly within the orbit of actions taken (and vigorously defended) by the US government. The Snowden leaks provide an abundance of evidence in this area. For instance, in the US intelligence agencies’ ‘black budget’, there is a special section related to trade which states that the intelligence agencies will ‘directly support and strengthen’ trade enforcement actions and the goals of US trade negotiations. As to individual instances, the Europeans have been vexed at revelations that US officials exploited hacking in trade negotiations over the past decade — and gained access to European Commission information relating to antitrust actions against Apple, Motorola, Microsoft and Intel.

While there is no evidence that the US government gave information directly to individual corporations, the material gleaned from the spying operations certainly benefitted US businesses and workers. The larger point is, as New York Times reporter David Sanger has written: ‘The government does not deny that it routinely spies to advance American economic advantage, which is part of its broad definition of how it protects American national security’.

The sweeping, emphatic promise to go after all perpetrators of economic sabotage also presents future challenges. The problem, as former Defense Secretary (and former CIA Director) Robert Gates has pointed out, is that: ‘There are probably a dozen or 15 countries that steal our technology in this way. In terms of the most capable next to the Chinese are the French — and they’ve been doing it a long time’. Gates and others have pointed also to the Russians, several Eastern European countries, and the supremely competent Israelis. Does the administration really intend to follow through on Carlin’s sweeping commitment?

The point of this is not to call for a halt to US actions to counter Chinese (or other states’) economic sabotage. Rather it is to argue that the Obama administration needs to tighten and strengthen its case. For instance, among the voluminous and rich cyber files in NSA and CIA vaults, there must be striking examples of purloined technologies, the possession of which has allowed Chinese companies and sectors to leap to the forefront of world competition (the equivalent of China’s purported theft of the F-35 stealth fighter designs). Future indictments should target and widely publicise these technological thefts, in contrast to the trivial technologies that form the basis of the current indictments.

Second, it would be wise for the US to separate corporate secrets related to trade disputes and litigation from trade secrets related to future competitive strategies against Chinese (and other national) companies. The Wall Street Journal’s Holman Jenkins, Jr, lamented in regard to the current indictments that: ‘sadly the picture is mudded by Washington’s focus partly on data related to trade litigation and green subsidies, areas where an odour of cronyism wafts from our side, too.’ In the current indictments, there were strategic business strategies unrelated to trade litigation that were hacked from Westinghouse and Alcoa, but their significance got lost in the heavy emphasis on the trade disputes data.

Third, while it plays well politically and in the domestic media, the administration would be well advised to tone down its moral indignation against Chinese incursions. Though it may seem utopian at this point, at some time in the future America will have to reach an accommodation with China and other nations on the broad challenges of cybersecurity. Naming and shaming individual Chinese military units and individuals should be viewed as a necessary interim tactic, rather than a long-term solution.

This leads to a final point: Secretary Gates admitted that he does not know ‘where it goes from here.’ The administration is probably in the same position. Is the US willing to take more definitive action against Chinese companies — denying them access to US financial resources, or access to American markets, if they have been shown to benefit by IP theft (a hugely difficult case to prove, admittedly)? Is it willing to bear the brunt of retaliation from China against many of America’s world-leading high-tech companies, and to achieve credibility by taking action against other nations whose companies also benefit from economic spying?

None of the above is intended to place singular blame on the Obama administration: this is new territory and balancing economic and security national interests will be difficult and, potentially, treacherous. Getting the priorities and terms right in future Chinese indictments would be a good start toward a more carefully thought out set of policies.

Claude Barfield is a resident scholar at the American Enterprise Institute for Public Policy Research.

A version of this article was first published in Tech Policy Daily

 

No comments:

Post a Comment