Today, the United States Department of Justice indicted five Chinese military officers related to alleged cyber espionage against U.S. companies. At the same time, John T. Chambers, Chairman and CEO of Cisco Systems, sent a letter to President Obama arguing that NSA efforts to undermine global Internet security undermine the future of the Internet and the United States’ technology industry. The two developments point to a number of possible implications for the U.S. government’s ability to protect companies from foreign espionage, as well as the future of the ongoing U.S.-China cyber dispute.
First, disclosures over the last year that indicate that NSA engages in cyber espionage against foreign companies help to bolster claims that the U.S. lacks credibility when confronting China about its engagement in economic espionage. This, in turn, undermines the United States’ ability to protect its companies from other states’ military and intelligence agencies.
We know that NSA has targeted companies in a number of countries, including China. Though no evidence has been presented that the U.S. government passes this information directly to U.S. companies–the primary basis of its complaint against China–it is nonetheless clear that its own economic espionage can benefit U.S. companies indirectly.
For example, NSA has targeted the servers of Chinese telecommunications equipment manufacturer, Huawei, while U.S. officials have warned against the use of that company’s products for fear of the kinds of “backdoors” we now know that NSA sometimes plants in Cisco equipment. Ultimately, the Chinese company decided to pull out of the U.S. market, citing the difficulties caused by such warnings. Even if the U.S. government did not pass Huawei corporate secrets directly to its U.S. competitors, driving them from the marketplace certainly provided an indirect benefit nonetheless.
Next, we also know that NSA surveillance has aided the U.S. in trade negotiations. The United States having a better chance of getting its way in such negotiations is certainly a benefit to U.S. industry, even if intelligence gathered from foreign companies and officials is never passed directly to U.S. companies.
But these benefits must be weighed against the potential harm done if or when others learn of such activities. In this case, we see the possibility that the benefits of NSA targeting foreign companies could be outweighed by a diminished capacity for the U.S. to protect its own companies when subjected to the same kind of behavior–or worse, which is what is alleged against China–by foreign intelligence agencies.
Predictably, China is taking advantage of our newfound knowledge of NSA targeting of its companies in its official response to the U.S. indictment, alleging that China is the true victim, not the United States.
None of this is to dismiss the possibility or seriousness of the actions for which the Chinese officers have been indicted. But to the degree that NSA actions lend credibility to the Chinese counter narrative, they represent one more way in which NSA surveillance has harmed U.S. companies.
But there are implications beyond the ability of the U.S. to protect its companies from foreign espionage and theft of intellectual property. As Attorney General Eric Holder noted, this is the first time the United States has taken this kind of action. As such, it sets a new precedent with serious potential consequences.
First, this is an escalation of U.S. efforts to deal with cyber threats using the criminal justice system. We can see this also in the FBI’s arrest of almost 100 hackers around the world today. Thus far, as I have noted many times, U.S. cybersecurity rhetoric, especially as it relates to China, has been dominated by talk of “cyber war.” This is in contrast to the reality that most cyber incidents are more properly characterized as instances of crime or espionage. So, perhaps this move signals a shift away from such bellicose cyber rhetoric.
Second, though a move away from war rhetoric should be welcomed, an aggressive pursuit of foreign military and intelligence officers for cyber crime in the wake of the NSA revelations could open U.S. officials to similar indictments from governments whose companies have been targeted by NSA. Will we see China or Brazil “naming and shaming” NSA employees? Only time will tell.
Third, if the Chinese are as persistent in carrying out espionage against U.S. companies as government officials insist, it is hard to imagine that this indictment will curtail those activities to any significant degree. Instead, what we have seen thus far is China suspending its participation in the Sino-U.S. network working group, which was meant as a forum for the two countries to work on resolving differences in the area of cybersecurity. This is a possibility that U.S. officials must certainly have anticipated. If so, the decision to proceed with the indictments could indicate that the working group was not succeeding in its mission and that the U.S. felt the time was right for an escalation in the ongoing cyber dispute.
Whatever the case, today’s events should serve to highlight the difficulties in using the power of the national security state to promote and protect the interests of U.S. industry. These actions can turn out to be a double-edged sword or to work at cross purposes to one another. Finally, today’s events also mark an important turning point in the ongoing cyber dispute between the United States and China.