On October 9, Ellen Nakashima and Adam Goldman of The Washington Post reported very significant news. “The Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government … It is not clear if the hackers arrested were with the Chinese military, but they were accused of carrying out state-sponsored economic espionage.”
It is unclear at this point if the arrested individuals are members of People’s Liberation Army (PLA) Unit 61398, the subject of Mandiant’s 2013 report and the Department of Justice’s 2014 indictment.
Overall, this development is significant because it is a concrete action by the Chinese government that moves beyond the words shared by Presidents Xi and Obama in late September. However, it does present some risks that perceptive American officials should consider before pressing for further action.
China-watchers did not expect such a rapid move, and it is important for multiple reasons. First, it is different from previous arrests by Chinese authorities. For example: In August, Chinese officials in the Ministry of Public Security (MPS) arrested approximately 15,000 individuals as part of 7,400 cases launched in July. Citing an MPS statement, CNN reported that the cases included “a cyberattack on a telecoms company, the theft of financial information via spam text messages, a campaign to defraud people with disabilities, and even a fake online investment platform.” The pattern of these earlier arrests is consistent with other actions taken within China: The victims have been Chinese citizens, and Chinese officials have arrested alleged Chinese criminals to show that the government does not tolerate cybercrime within the country’s borders.
The arrests reported by The Washington Post, in contrast, were taken to meet demands by the U.S. government for “state-sponsored economic espionage.” Properly defined, “economic espionage” in this case means “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” as stated in the September 25, 2015 Fact Sheet on President Xi’s visit to the United States. As President Obama stated and as I reiterated in my testimony to the Asia Subcommittee of the House Foreign Affairs Committee, all nations conduct economic espionage, meaning operations “designed to better understand foreign financial conditions and uncover bribery and corruption that harms American commercial interests.” The United States, unlike almost all other nations, however, does not pass stolen commercial data to domestic companies for competitive gain. The extreme volume of Chinese activity for the purpose of “providing competitive advantages to companies or commercial sectors” is the focus of current U.S. policy.
The second reason the arrests are important is that the Chinese have taken an objective, concrete step to fulfill the obligations they assumed during President Xi’s visit. It is one matter to state, as President Xi did, that “both government [sic] will not be engaged in or knowingly support online theft of intellectual properties.” Assuming that The Washington Post report is accurate, these arrests mark the first time China has taken real action to address American concerns related to commercial spying.
Three other issues are worth considering. Although the United States issued warrants for the arrest of five members of the PLA in 2014, it is possible those arrested will not be the subjects of those warrants. Arresting military members would show that PLA units were indeed stealing commercial data from U.S. companies. It is possible that China could arrest these individuals, however, and claim that they were rogue elements operating beyond their commander’s knowledge and authority. Such arrests would fit with President Xi’s widespread anti-corruption campaign. Another possibility is that China arrested several so-called “contractors” or “gunslingers,” individuals available as hackers-for-hire. These technicians would be convenient scapegoats for a much larger Chinese data theft operation.
Either scenario presents a downside for President Xi. If the arrested individuals are PLA members, the PLA will not be pleased with the action. Having conducted campaigns against global targets for over 10 years, they would likely expect more support from their national command authority. If the arrested individuals are contractors, other hackers-for-hire are likely to be wary of conducting operations on behalf of the Chinese government in the future. They would rightly fear being arrested, at least for show trials.
A second issue for consideration involves reciprocity. Will China expect the United States to arrest American hackers? In the case of Americans conducting criminal activity under U.S. law, there should be no problem with such legal action. If China identifies U.S. offensive digital operations, it could request that American officials arrest the perpetrators. This could be dangerous territory for the United States. Arresting the Chinese individuals in question may set a precedent that the U.S. government has not thought through to its possible conclusions.
A way out of this conundrum forms the third issue: Should the United States pursue extradition of those arrested in China? The United States does not have an extradition treaty with China, a fact highlighted recently during China’s so-called Operations Fox Hunt and Skynet, which targeted Chinese citizens accused of corruption. When some of these Chinese individuals fled to the United States, China sent covert agents to pursue them. The U.S. government was not pleased with this tactic and told the Chinese government to send its agents home. Prior to President Xi’s visit, the United States sent several wanted individuals back to China, presumably meeting some of China’s demands.
Nevertheless, I recommend that the United States not pursue extradition of the arrested hackers and instead let the Chinese government put the perpetrators on trial. This aligns with the concept of reciprocity; should the Chinese government request arrests of American hackers, the United States should put them on trial in the United States.
This suggestion does not solve the larger problem of the “investigation” aspect of the Obama-Xi agreement, however, which states
“The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.”
The problem with this language is that it may give the Chinese government an asymmetric advantage when trying to identify American offensive digital operations. Consider a scenario in which Chinese defenders discover 10 campaigns against various Chinese targets. The Chinese government presents the 10 cases to their American counterparts. The United States recognizes eight as criminal conduct designed to steal personally identifiable data or other financial instruments. The United States also sees that one involves human rights communications, and the last is likely a covert American campaign against Chinese military targets. When the United States declines to support the Chinese investigations for the human rights and counter-military operations, the Chinese are likely to loudly complain about the former and quietly exult in attributing the latter. Neither situation benefits the United States.
It is easy for China-watchers to be cynical about developments in the digital arena, but this is a promising development. What matters now is how far the United States presses its position. It is important to welcome the news but be wary of reciprocal, asymmetric Chinese demands.