The irony of this week’s summit meeting between President Obama and China’s President, Xi Jinping, is that these two heads of state may be powerless to stop the silent cyber conflict that they are engaged in. With both economies, so intertwined and China grappling with a slowing economy and turbulent stock market there is little that either can do that hasn’t been tried before.
Have We Seen This Movie Before?
The first time Obama and XI met was an informal meet and greet in June of 2013 at the Sunnylands estate in California. It was a little over four months after Mandiant published the APT1 report. This was the first time anyone had publicly pointed the finger at China’s cyber espionage campaigns targeting the private sector. Names had been named and President Obama’s National Security Advisor, Thomas Donilon, declared that cyber espionage had moved to the “forefront” of the U.S. agenda in its relationship with China. He called for the Chinese Government to stop the hacking and to join an international process for limiting economic espionage[i].
The White House had said that cyber-security would be part of the agenda at that Sunnylands meeting. Enter Edward Snowden. Two days before the summit, he revealed his top-secret documents, and muddied the conversation. It’s unclear what Obama and Xi discussed behind closed doors in California. But Obama’s official remarks after the meeting were, at best, vague:
“… the United States seeks an international economy and international economic order where nations are playing by the same rules, where trade is free and fair, and where the United States and China work together to address issues like cyber-security and the protection of intellectual property.”
Meanwhile the attacks continued.
When “naming and shaming” didn’t work we saw the United States turn to the courts – indicting five People’s Liberation Army officers suspected in the cyber espionage attacks. Still, the attacks continued. When Obama and Xi met on Chinese soil in November 2014 the only visible result was a prepared statement from the White House, which included a quote from Obama[ii] that sounded very similar to the previous 2013 meeting statement:
“I stressed the importance of protecting intellectual property as well as trade secrets, especially against cyber-threats. And we welcome continued progress towards a market-driven exchange rate.”
The press and foreign policy experts have speculated that Snowden’s ill-timed revelations eroded the clarity of the United States’ position when it came to admonishing China on cyberspying. If the U.S. is spying on its own citizens (and other countries), the argument went, how can it confront China for doing the same thing? Meanwhile, the attacks continue.
Can China (Xi) Even Stop?
Friday marks the third face-to-face summit between Xi and Obama. It’s worth asking the question – could China even stop if it wanted to?
China has become economically dependent on U.S. intellectual property and innovation. Or, to put it another way, they’ve become addicts. Like any addict, the only way they will stop is when they choose to stop.
With a weakening economy and Xi’s decision to build strategic military island bases in the South China Sea, China may not be in a position to turn off the information-spigot from the United States. Doing so could be political (and economic) suicide for Xi.
It’s helpful to look back to Xi’s past to understand where things might be going. Rewind back to October of 2010. Xi Jinping was selected as Vice-Chairman (second in command) for China’s Central Military Commission (CMC). The CMC’s role in China is to supervise and oversee the People’s Liberation Army. Think of it as the equivalent to the U.S. Department of Defense with oversight across all branches of the military. In that very same session, the Chinese Central Committee architected a new five-year plan to run from 2011 until 2015.
For China to evolve from what many classified as a “third-world nation” and achieve its seldom talked about goal of becoming a world superpower (at the levels of the US and Russia) by the year 2049 it needed a plan. The 2010 five-year plan was a step in that direction. It’s stated goals included:
At the same time as the ink was drying on China’s five-year plan we saw it testing out new cyber-espionage tactics in the late 2000’s (we started seeing China cyber-attacks around 2004-2005). These attacks primarily utilized vulnerabilities, exploits and social engineering to gain access to sensitive systems. Rather than wait around for new zero-days, or develop new exploits to launch against victims, the Chinese realized they could use phishing attacks against unsuspecting users to gain the same access. Coupled with using a remote access trojan (RAT) to control the user’s computer, they no longer had to wait around for exploits or vulnerabilities to take advantage of.
At this point China had the means (spearphishing/command & control) and motive (five year plan). But did it have the will and the organization? In hindsight the answer, of course, is “yes”. While we can’t know what Xi’s direct role was (if any) in overseeing the building of cyber-espionage attack teams (like APT1, APT2, APT3, etc.) and targeting United States based companies to acquire their intellectual property, Xi had a front row seat as this unfolded.
Now, nearly a decade later, China may be so dependent upon U.S. intellectual property and innovation that they can’t stop, even if they wanted to. With the weakening of their economy and Xi’s decision to build strategic military island bases in the South China Sea, they may not be in a position to back up and turn off the information-spigot from the United States. Doing so could be political (and economic) suicide for Xi.
Fast forward to 2015. Obama is in the final years of his presidency. Confronted with the growing cyber-espionage problem from state-sponsored attackers (China, Russia, N. Korea, etc.), he is under pressure to do something about these threats. Naming and shaming hasn’t worked. Indicting PLA officers hasn’t worked. Two meetings with Obama and Xi haven’t worked. What will be different this week?
There have been news reports within the last few weeks that the White House is preparing sanctions against Chinese companies that conduct, or have benefited from, cyber-espionage attacks where intellectual property was stolen. The majority of foreign-policy experts and cyber-security professionals are skeptical that sanctions can curb or curtail the Chinese campaigns. China cannot afford to stop. And, in any case, many of the most obvious companies that benefit from the stolen secrets don’t do business within the United States. They are defense industrial complexes building new weaponry (like the Shenyang J-31, believed to be built from stolen U.S. F-35 plans), or energy powerhouses (like Sinovel stealing trade secrets from a U.S. competitor) building sustainable generation methods.
The alternatives to sanctions are limited. China is one of the United State’s top trading partners. Taking military (kinetic) action is a red line that the United States is unlikely to cross – particularly since Obama’s own military intelligence leaders don’t consider China’s cyber-espionage campaigns as attacks. Offensive (hack-back) cyber-attacks against China by the United States could backfire. First, attribution of cyber-attacks is extremely difficult (and prone to error). Second, if the U.S. crossed the line, the Chinese could retaliate with destructive campaigns (think N. Korea vs. Sony), or even the mass-release of acquired state secrets (just think what would happen if China decided to release the OPM top-secret clearance database to PirateBay).
The last two meetings between the Obama and Xi have been ineffective in getting China to admit to (or stop) their cyber-espionage campaigns against U.S. companies (and government). It’s unlikely this week’s meeting will change the state of affairs.
With both economies so intertwined, there appears little that President Obama and the United States can do. There have been rumblings within the last few days about the White House negotiating a “code of conduct” with China that both countries would agree to. From a distance this type of agreement might look like a positive step forward, perhaps even a win for Obama if he can pull it off. Unfortunately, the code of conduct only pertains to cyber attacks that destroy a nation’s critical infrastructure, not the wholesale theft of intellectual property and state secrets.
Here at Fidelis, based on the cyber-espionage incidents we are responding to, we have not seen any slowdown in the number of attacks from suspected Chinese threat actors. Regardless of what the joint statement looks like at the conclusion of this summit real progress will be judged based on the facts on the ground.