International Cybersecurity: Sanctions or Standoff?*
“The cost to the U.S. economy and to U.S. companies of government-sponsored cyber theft has been on the rise as network intrusions have become more sophisticated and harder to detect…. [taking] valuable technology, trade secrets, and intelligence.”
— U.S.-China Economic and Security Review Commission report to Congress, November 17, 2015
International cyber attacks grow more pervasive by the day. At the same time, people blithely move more and more sensitive data online. The appeal of the cloud, and individuals’ apparent inability to resist clicking strange links, is accompanied by businesses’ need to transmit and store petabytes of information in a digitized age. How should the country address the escalating risk?
Hackers have penetrated JP Morgan Chase, Home Depot, Target, Kaiser Foundation, Alcoa, U.S. Steel, Westinghouse, and other energy grid operators, pursuing blueprints, business plans, credit card numbers, confidential personnel information, social security numbers, and cash. CNNMoney reported:
“TrustedSec discovered spy malware in the software that a major U.S. energy provider uses to operate dozens of turbines, controllers and other industrial machinery. It had been there for a year — all because one employee clicked on a bad link in an email.”
Navy Admiral Michael Rogers, head of the NSA and U.S. Cyber Command, told members of the House Select Committee on Intelligence “there are nation states and groups out there that have the capability to …shut down or stall our ability to operate our basic infrastructure, whether it is generating power across this nation, or moving water and fuel.”
How to calibrate the nation’s response? The carrot or the stick? Policy makers are deploying both. After years of running aground on concerns about Americans’ constitutional rights and privacy, the Administration has created a more incisively targeted counteroffense, including international sanctions and legal charges for cyber attacks, while holding out the carrot of anti-hacking detente.
U.S. businesses themselves cannot legally counter-attack intruders. “Hacking back” ordinarily violates the Computer Fraud and Abuse Act (CFAA), and determining the source of an attack is difficult. “The bad guys don’t tend to use things labeled ‘bad guy server,’” White House cybersecurity coordinator Michael Daniel said to the Washington Post. (Although “some companies evade these restrictions …by putting cyber defence units in countries with few laws governing the internet,” doing so may be neither feasible nor desirable, especially because reverse attacks can lead to devastating reprisals for companies.)
Our government has legal authority to counter-strike, bounded by its own agreements with other countries. It has reserved the right to counter foreign intrusions and announced its cyber attack capabilities. However, retaliation could escalate the “death spiral” and invite counter-retaliation and possible collateral damage. Perhaps for this reason, the Administration has largely placed offensive measures on hold while it pursues multilateral policy agreements such as the November 1, 2015 G20 Summit anti-hacking Communiqué.
Last year, Admiral Rogers told the House Select Committee on Intelligence that “”We have got to develop, I believe, a set of norms or principles. … Absent that kind of thing, being totally on the defensive is a very losing strategy.” This year, such norms are moving into place. G20 participants agreed no country “should” conduct or support cyber theft of intellectual property for commercial competitive advantage. Although this language is aspirational, consensus goals can open a path to commitments.
Simultaneously, the U.S. has been laying the groundwork to punish those who support cyber attacks.
- Sanctions authority. This April, President Obama declared malicious cyberthreats a national emergency. He signed an Executive Order authorizing sanctions including the blocking of property, money and services in the U.S. controlled by those engaged in such threats; any donations of food, clothing or medicine to them; and their entry into the United States. These sanctions will apply to any person or entity found complicit in cyber activities threatening the U.S. and compromising critical infrastructure, disrupting computer availability, or misappropriating funds, trade secrets, personal identifiers or financial information for gain.
- Legal charges. On May 19, 2014, the U.S. Department of Justice announced the indictment of five Chinese military hackers “for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries,” charging them with thirty-one violations of U.S. laws including the CFAA, aggravated identity theft, and the Economic Esponiage Act. Although Edward Snowden’s leaks indicated covert surveillance by the U.S. as well, Attorney General Eric Holder distinguished between intelligence activities and spying “to gain commercial advantage.”
When the indictments were announced, Beijing immediately canceled U.S.-China Internet Working Group activities. This was viewed as a setback, but in a ChinaFile conversation, experts said the short term loss could be an investment in longer term progress. Graham Webster, a Senior Fellow at The China Center at Yale Law School, said “The Chinese government is forced to consider that more costly measures may be on the U.S. menu, and may eventually take the problem more seriously….“ Tai Ming Cheung, director of the University of California Institute on Global Conflict and Cooperation, stated that “The goal is to get the two sides to seriously engage in trying to find ways to mitigate their cyber-espionage competition towards each and prevent it from continuing its negative spiral.”
Certainly, other countries may view themselves as victims of U.S. intrusions, particularly in the wake of Edward Snowden’s revelations. Although the U.S. views cyber actions for national or political purposes as distinct from actions for economic purposes, its surveillance capabilities buildup can be viewed as offensive power-building. As Zachary Goldman and Jerome Cohen observe with regard to China, countries that own their critical infrastructure may conflate security law with surveillance law, and the line between espionage for commercial purposes and for political objectives may be blurred or missing. Accordingly, the line the U.S. is trying to draw may be more readily acceptable to societies with greater private ownership of critical infrastructure and more independent norms of economics and law for the private and public spheres.
Nevertheless, when President Xi Jinping of China visited the U.S. in September, he and President Obama agreed to “cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.” They also agreed “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
This language provides easily observed “outs”. For example, cooperation “in a manner consistent with their respective national laws” may not limit a China whose laws are “vague and sweeping, giving the government latitude to take whatever security measures it wishes.” As another example, the “intent of providing competitive advantages to companies or commercial sectors” may be largely irrelevant to an intent to increase a nation’s strength by damaging industry in the other country. After all, while visiting Seattle last month, President Xi not only quoted Martin Luther King, saying “the time is always right to do the right thing,” but also said “development remains China’s top priority.”
So which path will China take? President Obama said:
“What I’ve said to President Xi and what I say to the American people is the question now is, are words followed by actions. And we will be watching carefully to make an assessment as to whether progress has been made in this area.”
On October 19, 2015, cybersecurity firm Crowdstrike reported that China-affiliated actors were continuing intrusions into its customers’ systems, including “to facilitate theft of intellectual property and trade secrets [from tech and drug companies], rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.”
Although dismantling programs that appear to violate the agreement could naturally take time, on December 1–2 the countries will meet to assess progress.
If each country watches the other for improvements, while failing to decrease its own cyber actions, progress may not be made. Both countries could then find themselves massively increasing their efforts in an unproductive cold war.
While we distinguish between the economic and the political, and surveillance versus theft or damage, the Chinese may be watching us for any of the above. U.S. surveillance, and pressures in China to produce economic supremacy may decrease Xi’s political will to carry out the agreement despite the benefits of cooperating with an increasingly aggressive opponent.
In its 2015 Report to Congress, the U.S.-China Economic and Security Review Commission recommended that Congress:
“assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks. In addition, Congress should study the feasibility of a foreign intelligence cyber court to hear evidence from U.S. victims of cyber attacks and decide whether the U.S. government might undertake counterintrusions on a victim’s behalf.”
The latter could be unwieldy, and the former could result in problems if critical U.S. information could be harmed when domestic companies pursue hackers and suffer foreign retaliation. Pursuit of the sanctions adopted in the April 2014 Executive Order, for example, may be more effective. Nevertheless, all options remain worth considering, particularly where companies are well secured and more agile than the federal government.
*A version of this article was published at http://www.accdocket.com/articles/international-cybersecurity-sanctions-of-standoff.cfm