From within the tech bubble, where U.S. and Chinese executives gather regularly in a spirit of mutual admiration and collaboration, technology exchange would not seem to be one of the biggest flash points in the U.S.-China relationship. While individual commercial relationships and industry competition can present challenges, a technologist’s instinct is not to appeal to public policy for help. Over the last five years, however, the worrying trajectory of the relationship between the two countries has become all too clear. In response, U.S. companies have filled the halls of government appealing for official action. In 2013, the Commission on the Theft of American Intellectual Property estimated that the theft of Intellectual Property (IP) totaled $300 billion annually, 50 to 80 percent of which was attributable to China. Technology may be cross-border in nature, but the U.S. government has to act unilaterally in order to protect national security and encourage a salutary global environment for innovation.
What has made the issue of cybersecurity and IP particularly difficult to solve for the United States and China, aside from sizeable practical technology challenges, is that there is no clear international standard that guides cyber relations. So far, all countries have been concerned that imposing an insufficiently nuanced or comprehensive regulatory regime would mean stifling positive and legitimate technology activity. For example, while most would agree that hacking for purposes of stealing identities or corrupting software systems should be prohibited, hacking for intelligence is a widely accepted form of espionage. In addition, U.S. technology companies often complain that they face unfair regulatory treatment in the Chinese market, and Chinese companies have recently made the same claims about the United States. Market openness is an important goal, but not when foreign technologies can be used as a conduit for state security activity. Because it is difficult for international regulations to strike the right balance between these tradeoffs, cybersecurity and IP rights have been governed on a much more ad hoc, bilateral basis. That is the right framework to pursue, but the United States has to set up an infrastructure to make decisions about those tradeoffs for an effective policy going forward.
The Lead Up to the Arrest of a Technology Executive
In September 2015, the United States and China signed an agreement that neither would engage in cybertheft for the purposes of acquiring IP. This bilateral agreement was the first time the two countries forcefully addressed an issue that had previously been discussed only in back channels or through official remarks without threat of action. The United States was able to extract such a deal from China because President Xi Jinping was about to conduct a state visit to the United States later that month in which U.S. and Chinese technology companies were to sign major partnerships, and China did not want this shadow over the proceedings. At the G20 summit in November 2015, the same core agreement on IP was internationalized in the event’s communiqué. China soon inked similar bilateral agreements with Australia, Canada, Germany, and the UK.
For a period of three years, it appeared that the agreement had a deterrent effect on U.S.-China cybertheft. But in July 2018, the National Counterintelligence and Security Center published a report that showed China was stealing U.S. technology secrets, including everything from software source code to chemical formulas and technology for defense equipment. The report also stated that other countries had been engaged in the same activity, including Russia and Iran. However, none stole as much as China.
What made the new breed of cybertheft all the more alarming was that it no longer attacked large corporations, as it had in the past. Notable targets had included Google, IBM, Hewlett Packard, and countless other technology companies. But now, hackers were going after the “supply chain” of a company’s IT management, starting with its managed service provider (MSP). Rather than maintain IT infrastructure and security in-house, many companies now hire a third-party vendor to perform basic IT functions like managing their data storage and automatic back-office activities. By going after an MSP that services multiple companies instead of targeting individual companies, the hackers are able to amplify their attacks with the same effort. According to CrowdStrike, a leading cybersecurity firm, two-thirds of respondents to a survey of companies commissioned in 2018 said they had experienced such an attack on their digital supply chain, where 90 percent of the attacks led to financial loss.
Consequently, from September to November 2018, the U.S. Department of Justice issued four sets of indictments against Chinese nationals for espionage and cybertheft. The charges included hacking aerospace firms and semiconductor companies to steal IP for commercial purposes. These indictments were the first in years and indicated that prosecutions begun during the Obama Administration were coming to fruition.
In early November, the Department of Commerce added the company Fujian Jinhua, a memory manufacturer and competitor to the US-based Micron Technology, to its Export Administration Regulation List. Like Huawei Technologies and ZTE, two Chinese companies that have been on this list for years, Jinhua would no longer be able to receive exports of chips or the underlying IP from the United States, either through its own subsidiaries or from other suppliers.
Immediately before the G20 summit in late November, the office of the U.S. Trade Representative issued an update on its Section 301 Investigation into Chinese activity related to technology transfer, IP, and innovation. U.S. Trade Representative Ambassador Robert Lighthizer said, “This update shows that China has not fundamentally altered its unfair, unreasonable, and market-distorting practices that were the subject of the March 2018 report on our Section 301 investigation.” The report had four key findings:
- China continues to engage in cybertheft of foreign IP and proprietary business data for commercial reasons.
- China uses foreign investment restrictions to pressure technology transfer from foreign companies looking to do business in China.
- China restricts licensing of technology to foreign companies in contravention of international trade laws.
- China encourages investment in U.S. companies in nationally strategic sectors to obtain control and access to IP.
As we can see from the range of activities covered in the report, the lines between commercial protectionism, national security, and cybertheft start to get blurred in policy discussions. Because the United States tends to treat them under the rubric of cybersecurity and IP relations, China is able to exploit the distinct differences between each one of these issues and claim that the United States is behaving in an unfair and hegemonic manner. Many in the technology community also believe some of the specific findings in the Section 301 Report describe aggressive, but not illegal, behavior.
If any single event can be said to have fueled this narrative in China, it would be the arrest of Meng Wanzhou, CFO and deputy chairperson of Huawei, during the G20 summit. She was arrested by Canadian authorities at the request of the United States during a layover in Vancouver. Meng has been indicted for violating U.S. sanctions against Iran by lying to banks about the relationship between Huawei and Skycom, a company based in Hong Kong that sells U.S.-manufactured technology to Iran. The United States took this a step further in mid-January 2019 by requesting the extradition of Meng and unsealing an indictment against Huawei itself for stealing technology from telecommunications giant T-Mobile. The United States has generally been trying to limit Huawei’s presence in this country and across the globe because it is concerned that the company is using its technology to conduct espionage for the Chinese government. As a result of the indictments, British company Vodafone has paused purchases of Huawei equipment for its network infrastructure, and the EU is discussing adoption of a similar region-wide policy for networks.
Chinese state media responded with furor, accusing the United States of perpetrating a conspiracy to stifle China’s technology sector and standing in the world. However, China did not take the additional step of slowing down trade talks with the United States. The Ministry of Commerce announced soon after the arrest that China was “fully confident” it would arrive at a trade agreement with the United States within 90 days, as expected, and would immediately start implementing agreements on agricultural products, energy, and cars. A week after the indictment against Huawei, China’s Vice Premier Liu arrived in Washington to resume trade negotiations in advance of a March deadline.
The United States exercised the same caution in December 2018 when the Department of Justice unsealed yet another set of indictments against two Chinese hackers affiliated with China’s Ministry of State Security. These hackers are part of a group called APT 10, running a campaign codenamed CloudHopper, which has been targeting MSPs servicing biotech, health care, NASA, oil and gas, and other industries since 2014. The group also hacked U.S. government agencies and obtained the personal information of more than 100,000 naval service members. The United States was not the sole target: Other countries affected include Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, and the United Kingdom. As an update to the National Counterintelligence and Security Center’s report, Deputy Attorney General Rod Rosenstein stated that more than 90 percent of the U.S. cases alleging digital economic espionage and 67 percent of trade-secret theft prosecutions involved China.
Back in September 2018, Trump Administration officials hinted that the United States may trigger Executive Order 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” which had been issued by President Obama in April 2015. This order allows for economic sanctions against individuals and companies found to have profited from cybertheft. However, Treasury Secretary Steven Mnuchin has been successfully arguing against such sanctions. When the indictments came down, he renewed his objections for fear that sanctions would upset the January 2019 trade talks between the two countries.
Trying to Regulate Good Behavior with Bad Intentions
If the progress of cyber relations between the United States and China seems slight compared to the magnitude of short-term economic loss and the potential for far greater problems ahead, we have to remember that regulatory authorities are just beginning to understand how to deal with international cybercrimes. Add to that the complexities of the U.S.-China relationship, and it becomes hard to envision any approach other than an incremental one.
First, sophisticated cybercrimes always come with a veneer of plausible deniability. The two Chinese hackers indicted in late December worked for Huaying Haitai Science and Technology Development Company and were contracted by China as cyber mercenaries. A report in September 2018 by the Australian Strategic Policy Institute found that after the 2015 cybersecurity agreement between the United States and China, China seemed to route such activities only through nonstate actors contracted through the Ministry of State Security instead of directly affiliated with the People’s Liberation Army, China’s military. The targets for cybertheft have also become more oblique. Rather than hacking individual companies, these actors are infiltrating MSPs that would provide access to the backend infrastructure and data of numerous companies at the same time.
While such small actors are harder to track, their cyber activity is easily identifiable as cybertheft. The difficulty is tracing their actions back to the state. The harder problem to detect is the nefarious use of international networks or products that also have significant legitimate purposes. Huawei and ZTE are two good examples of this. The U.S. Naval War College and Tel Aviv University also concluded in a paper published in October 2018 that China Telecom, one of China’s three largest telecommunications companies, has opened its network to the Chinese government for hacking border gateway patrols, which manage how data is routed across the Internet.
On a policy level, addressing cyber relations between the United States and China tends to bundle security and competition concerns. In fact, the two are very different challenges that call for separate consideration and government resources. Cyber espionage for state intelligence gathering is an internationally accepted practice. The United States freely admits to engaging in this activity vis-à-vis Chinese targets. The type of cybertheft prohibited by the international community is distinguishable only in its intent and consequences: The data must be gathered for commercial purposes and be deemed significant as trade secrets and proprietary IP without a state security function. Already, we see an overlap in responsibility between security and economic oversight that requires coordination to balance competing interests. That sort of coordination does not currently take place.
In addition, the United States and the wider international community have yet to determine what sort of economic norms and regulations should govern the trade of intangible technology goods. The WTO does have a body of law protecting IP rights, but it is hardly as sharp an instrument as laws governing the trade of more traditional goods and services. Without clear standards on international technology exchange, China has more room to maneuver to achieve much-desired status as a global technology giant. It openly pursues nationalistic technology goals that would not be acceptable if applied to traditional goods and services. In 2006, China laid out its National Medium- and Long-Term Plan (MLP) for the Development of Science and Technology. The primary policy of the MLP is the promotion of “indigenous innovation” across a comprehensive swath of industries. To achieve this, Chinese companies are encouraged to convert foreign technology for domestic use through a four-part process: introduce, digest, assimilate, and re-innovate. In 2015, President Xi unveiled “Made in China 2025,” a campaign to achieve global primacy in ten advanced technology industries, including robotics, quantum computing, and artificial intelligence. China also aims to be 70 percent self-sufficient in key technology industries and reduce its foreign dependence on critical components, such as semiconductor chips. Contrast the allowance of this policy with the WTO’s refusal to grant China market economy status for its significant subsidies to domestic industry (such as steel, solar panels, and other commodities), which indirectly lead to artificially low prices for Chinese exports.
These directives do have clear anticompetitive effects. Some of China’s more concrete protectionist measures include regulations stipulating that foreign companies cannot have direct foreign ownership of a few key categories of domestic industries, including high-tech. Foreign companies must submit communications technology to a government-administered national security review and store their data on domestic servers, where the government can potentially access it. However, China has indicated a willingness to further open its market to foreign technology companies. Under U.S. pressure, President Xi has recently remarked that the government will open “Made in China 2025” to more foreign participation. Xinhua News, China’s official news agency, also recently noted that the U.S. Bureau of Economic Analysis found that China paid $7.95 billion in 2016 and $8.76 billion in 2017 to U.S. companies for the use of intellectual property.
Official barriers to entry in China can be a hassle for foreign companies. What is far more detrimental, however, is the nationalism that pervades the Chinese technology community. A ten-year timeframe to gain primacy and self-sufficiency in technology is aggressive, even for a country that has shown it is able to leapfrog technology adoption cycles. Commercial espionage is a blatant response to this pressure, but company behavior is usually far subtler.
In recent hearings with the Office of the U.S. Trade Representative, many U.S. companies testified that they have never been forced to transfer technology to a Chinese company or the government. China knows that outright mandating technology transfer is not effective. As is the case with most foreign markets, entry requires establishing local partnerships. The local company will gain know-how in the technology, often to help tailor it to the local market, and the foreign company will have a distribution channel and guide for market development. Therefore, technology transfer is consistent with legitimate technology transactions. What distinguishes such partnerships with Chinese companies in particular is that it is tacitly understood the partner may want to produce and distribute this technology on its own in due course. In other words, the China market remains the prerogative of Chinese companies.
Finally, cybersecurity remains a global problem that has had few multilateral solutions. The Council of Europe’s Budapest Convention on Cybercrime, ratified by 40 states (including the United States) in 2001, was a first step in attributing cybercrimes to the true perpetrators. The Convention enacted other measures requiring official state agencies to refrain from cyberattacks, punishing the countries from which cyberattacks originate, encouraging countries to share information with one another about potential bad actors, and standardizing domestic cybersecurity measures across states. However, the enforcement mechanism relies on collective policing without a formal dispute resolution process, so countries have instead resorted to bilateral agreements where bad behavior can be punished through unilateral action.
Where We Can Go from Here
By far, the most effective deterrent against Chinese activity that runs counter to international norms has been the threat of being shut out of the global market. Now that China is poised to challenge the United States as the leading global economy, it does not want to risk retarding its growth with a negative perception and further sanctions on its largest companies. While the United States did not feel that last December was the right time to pull the trigger on sanctions against Chinese hackers for the first time, it should exercise that option independently of other bilateral discussions occurring at the same time.
While it’s true that China dominates the global market in technology exports, coming in at $496 billion in 2016, only three of the world’s top 20 technology companies are Chinese. In contrast, 11 of those companies are based in the United States, and many—including Apple, Microsoft, Amazon, and Google—are considered innovation leaders. Disputes over the trade of goods and services hit existing channels of commerce between the two countries in well-established industries. A war over technology is a war over the future of technology dominance, and, in China’s view, a direct threat to the growth of its economy and influence in the world.
In terms of concrete policy steps the United States can immediately take, one of the key initiatives should be to encourage China to continue building its domestic IP rights protection regime. China’s State Council Information Office claimed in 2018 that China had fulfilled its IP rights obligations under the WTO. The last ten years have seen a marked increase in the power of the judiciary in China and an emphasis on the rule of law, which is vital to enforcing IP rights. The country has set up three IP courts—in Beijing, Shanghai, and Guangzhou—and special judicial bodies at 15 intermediate courts in second-tier cities. Its National Intellectual Property Administration spearheaded an effort across 38 government departments to crack down on IP infringement. In addition to withdrawing government subsidies, access to capital and customs certifications, these companies will have their infringements publicized on an online national credit system. China has moved with particular intent on IP rights because their absence negatively affects how domestic companies, not just foreign companies, are able to protect their IP investments and grow in a law-driven business environment.
For its own part, the U.S. government should institute a formal process by which long-term cybersecurity threats are addressed and acted upon. We saw the impact of a lack of coordination when Secretary Mnuchin was able to call off sanctions against Chinese hackers because he was afraid it would derail impending trade talks. It should have been established that while cyberattacks and IP rights are trade issues, they also touch upon the domains of security and law enforcement. Rhode Island Democratic Representative Jim Langevin said it best when he commented on the current strategy, telling The Washington Post that, by saying that, as tough as it is when executed, it “does not go far enough in accelerating the reforms that need to be made,” because it “fails to provide the strategic guidance regarding what trade-offs we should expect to make” between regulating and responding to the needs of those who operate critical systems.
The office of a cybersecurity coordinator that cuts across agencies should be reestablished as a first step, with a future team comprised of representatives from other relevant agencies. National Security Adviser John Bolton had eliminated this role on the National Security Council because he felt the task could be handled by lower-level officials on the national security team. This level of authority is not commensurate with the Director of National Intelligence’s annual assessment to Congress, which this year stated that cybersecurity is the number one threat to overall security. Frankly, even the suggestion by a commission during the Obama Administration that suggested elevating the cybersecurity coordinator position so that it would be on par with that of counterterrorism and homeland security coordinators was insufficient. Ranking, however, is not as important as the level of visibility and authority the coordinator has across the departments of the security apparatus, as well as those responsible for economic statecraft. Few issues are as interdisciplinary and critical as cybersecurity, and that should be reflected with its own dedicated office and team in the White House.
If there is one lesson to take away from the last three years, it is that a blanket agreement will not be enough to govern cyber relations. Technology changes too quickly for static regulations to be effective. The best strategy is to continue to pursue international norms for the protection of IP rights and market openness, while placing the bulk of resources on vigilance and rapid unilateral response to Chinese cybertheft.
Just as is the case with the current trade war, action against the Chinese market results in a feedback effect that slows down the American economy as well. While technology companies had been more vocal in recent years about IP violations and cybertheft, they are now feeling the pain of a China slowdown and are urging the U.S. government to reach a deal. The IP leakage is a nuisance, but these companies perceive the loss of the Chinese market as far worse. Unlike trade of traditional goods and services, however, sanctions against individual Chinese companies, which in turn discourage expansion of their peers in foreign markets, are an option that allow for targeted results with fewer spillover effects. In addition, bilateral sanctions for cybercrimes have international support and are practiced by other major countries.
This is not to say that sanctions should be deployed for every grievance in cyber relations. Imbalances in market openness and pressure for technology transfer should be addressed primarily at the business level and through coordination on global technology best practices. When the U.S. government pushes for WTO-like regulations on fair technology competition, it plays into China’s narrative that the United States is using cyber relations as an excuse to keep Chinese industry from succeeding and perhaps one day replacing U.S. technology dominance. Where the United States should put its focus is on the detection of security threats, the prosecution of cybertheft and the enforcement of IP rights in the international courts. This multipronged attack on the problem harnesses the strengths of those most affected to ensure a vibrant and collaborative environment for global innovation.