By Sarah McKune
Senior Researcher, Citizen Lab
The trajectories of the U.S. and Chinese governments on cyber security have officially diverged with the May 19 unsealing of an indictment against five Chinese nationals accused of cyber espionage against U.S. companies. This outcome was perhaps inevitable given longstanding differences of approach to cyberspace, but the stark nature of the split is exceptional. In pursuing criminal charges in U.S. federal court against individuals alleged to be working for the Chinese military, the U.S. government has opened the issue of cyber espionage — normally discussed in confidential, high-level meetings between government officials that are closely controlled — to public discussion and debate, providing an unprecedented level of detail. (The companies named in the indictment also deserve credit for agreeing to go public with this information, despite probable backlash.) This airing of the dispute by way of recourse to an independent judiciary is a welcome change, one that may result in actual progress on questions of cybersecurity over the long term.
From the perspective of civil society — NGOs, exile organizations, political movements, and other public interest coalitions — the indictment is an important step forward, providing rare insight into cyber threats emanating from state-linked actors. Civil society groups are frequently targeted for politically-motivated cyber intrusion, often tied to government actors, but lack the resources and political support necessary to mount coordinated resistance to such threats. While the U.S. government has long concerned itself primarily with the economic repercussions of cyber espionage, and brought the criminal charges here on behalf of private industry, civil society actors still stand to benefit: the case will help advance the state of knowledge about cyber threats at large, which is essential for the overall health of the cyber ecosystem.
For example, we learn from the indictment that:
- Access to the computer networks of major companies was obtained largely through spearphishing techniques. Such techniques are regularly employed against civil society actors as well, and are countered most successfully through human training measures. Defensive practices and knowledge of spearphishing attempts should be shared.
- Targets had existing relationships with Chinese state-owned enterprises. While reporting has focused on the link between the timing of attacks and trade disputes, it is also probable that the establishment of a business relationship provided attackers with a means of obtaining information on a target that was later incorporated into the design of the attack vector, including the social engineering employed. It is noteworthy that, according to paragraph 13 of the indictment, computers were used for the purpose of researching the victims. Methods and avenues of attackers for researching targets are a key area for further investigation and discussion.
- One of the individuals named in the indictment was allegedly hired by the PLA to create a database of information obtained from the target (paragraph 8). Little is known about cyber espionage operations beyond the collection stage; any insight into such post-collection activities is useful.
As this case and others like it proceed, additional useful information may come to light.
Still unknown, however, are the methods by which the evidence in the indictment was obtained and the veracity of the evidence. It remains to be seen whether this case will result in disclosure of how the five named individuals were determined with certainty or whether they served as agents of the Chinese government. While bringing criminal charges against the individuals that engaged directly in espionage activities allows the U.S. government to give a face to the problem of cyber espionage, and to avoid the need to prove that the intrusions were authorized or directed by the state, the allegations also cut that much deeper as they identify specific Chinese nationals as criminals. Transparency on this issue is essential given the often insurmountable barriers that exist to attribution of cyber crimes.
To be certain, this U.S. action will provoke retrenchment and solidifying of positions along ideological lines. Within a day of the announcement of the indictment, the Chinese government has asserted that the charges are based on “deliberately fabricated facts”; accused the U.S. of “cyber theft” too; suspended the recently formed US-China Cyber Working Group, an important forum for engagement on cyber security; summoned the U.S. ambassador; and issued a statement condemning the indictment through the Ministry of National Defense. These are likely to be just the first in a series of retaliatory actions, some of which may have significant economic impact.
These setbacks come at an inopportune time, with China at a crucial stage in its development of cybersecurity measures. Just this year Chinese President Xi Jinping announced the creation of a new working group – led by Xi himself – to coordinate, formulate and implement cybersecurity measures, as, according to Xi, “‘No Internet safety means no national security.’” China is also reportedly drawing up a new cybersecurity law, and creating professional teams to implement cybersecurity measures. The U.S. has likely lost its opportunity to influence that process.
On the other hand, it is an open question whether influence was ever possible on such issues through existing channels. Dialogues with the Chinese government regarding rights-related issues are known for producing lots of PR but little in the way of concrete results. And fundamental ideological precepts of the Communist Party of China that ultimately determine matters of security, stability, and online rights are unlikely to change any time soon. The U.S. may therefore have more to gain by opting for public confrontation than it has to lose — something the Chinese government should have considered in taking a hardline, unconciliatory position on cyber matters, and which may affect its calculations in the future.
Most importantly, civil society actors stand to benefit from the resulting scrutiny, by all parties involved, of the cyber espionage practices of governments — those of China as well as the U.S. and other states. The Chinese government has called out U.S. double standards on cyber threats, citing the Snowden disclosures, and may very well respond to the indictment by pursuing legal action against U.S. authorities for intrusions against Huawei and other Chinese entities. While the can of worms opened up by the U.S. indictment may create acrimony and prolonged legal disputes, it may in the end facilitate the greater transparency the public needs.