ArchiveOODA Original

What is our China Cyber Indictment Endgame?

In February 2020, the U.S. Department of Justice (DoJ) issued indictments against four Chinese individuals suspected in conducting the 2017 intrusion into Equifax, a global information solutions company that organizes, assimilates, and analyzes data on consumers and businesses worldwide.[i]  The personal data of approximately 145 million U.S. citizens was stolen in the breach.  The four suspects are alleged to be members of the People’s Liberation Army’s (PLA) 54th Research Institute.

This is not the first time Chinese individuals associated with the People’s Republic of China have been indicted for computer-related crimes and information theft.  In 2014, five members of China’s PLA were indicted for conducting cyber espionage against U.S. organizations in order to collect information for commercial advantage.[ii]  Then in 2018, the DoJ issued another indictment against two Chinese hackers associated with the Ministry of State Security, China’s premier intelligence agency.[iii]  These hackers were alleged with conducting global intrusion campaigns that targeted intellectual property and confidential business information.  In 2019, a member of a sophisticated China-based hacking group was indicted for a series of network intrusions including the 2015 breach of the health insurer Anthem, which affected more than 78 million people.[iv]

The motives behind large China-perpetrated breaches such as the ones against Anthem, the Office of Personnel Management (OPM[v]), and Equifax are debatable, and dependent on the victimized entity.  For Anthem, some see the collection as potential insight into how the U.S. manages the care and wellbeing of its large population.  For OPM, some view it as China building portfolios of U.S. citizens to be used for further intelligence collection efforts.[vi]  In the Equifax case, the collection of personal information is believed to help the Chinese better target intelligence officers and officials.[vii]  These motives, while intriguing in theory, are speculative in nature with little evidence supporting their hypotheses.  One Congressman admitted that data from OPM was being processed by China but offered no evidence to support the allegation.[viii]  Granted, if being done, the processing of nearly five million gigabytes of data will take a while.  A damage assessment indicated that the operationalizing of such information as “20 years in the making.”[ix]  How that would look was not offered.

Legal indictment against cyber espionage actors appears to be the preferred course of action as it allows the United States to publicly acknowledge that it was victimized by a cyber attack and implicate an offending state.  Similar cyber-related indictments have been levied against state affiliated actors of Iran in 2016[x] and 2018;[xi] North Korea in 2018;[xii] and Russia[xiii] in 2018.[xiv]

But the lingering question is what do these indictments accomplish?

An immediate goal may be that these cyber indictments will serve as a deterrent for future activity, but there is little evidence that this will have any lasting impact.  One could argue that the 2014 indictments of Chinese military personnel was a catalyst for the 2015 China-U.S. “no hack” pact[xv] for commercial advantage, that resulted in a temporary reduction[xvi]in espionage activity.

Additionally, proponents of indictments will cite that such actions formally links states to the activity.  Where attribution for cyber attacks is always subject to debate, a formal legal indictment certainly suggests a more definitive linkage between a state and a criminal act.  Furthermore, being able to identify the specific identities of the cyber operators certainly demonstrates a reach and capability likely not possessed by even some of the more sophisticated cyber adversaries.

While indictments and “naming and shaming” seem like steps in the right direction, they are more pyrrhic victories than useful, serving more to show the global community that the U.S. government can “confidently” attribute hostile cyber activity than do anything about deterring it.  After all, China still conducts global cyber espionage campaigns, some of which target U.S. organizations.  It is doubtful such tactics will influence the more stringent U.S. adversaries to halt or diminish cyber operations.  Nonstate actors, obfuscation techniques, and operations conducted from third party countries will keep offensive cyber activities an ongoing threat.

But it does raise the question of what is the true end goal of indictments?

One thing is clear: nation states will engage in any activity they view as necessary to preserve or pursue their national interests.  If cyber activities support them, then it follows that they would continue them, regardless of global opinion.

This may be the reason that China still engages in cyber espionage on a global scale.  The U.S. is under no illusion that China, or any other government, will surrender the indicted for legal process.  But indictments have enabled the U.S. to raise the theft of intellectual property to the highest levels of government-to-government engagement and incorporate into China-U.S. trade deal discussions.[xvii]  China has agreed to raise the penalties associated with IP theft in the hopes of addressing this sticking point, although it remains uncertain if this has met U.S. expectations.[xviii]  On the surface, economic pressure in the form of trade deals may ultimately prove to be the correctly leveraged pressure point with China.

But that approach may not work in the same vein with other countries.  Neither Iran[xix] nor Russia,[xx] for example, are among the top trade partners of the United States, making such deals an unlikely leverage to address cyber activities suspected of both governments.  Compounding matters is that where China has focused on theft of information, Tehran and Moscow have been behind some of the more egregious and disruptive activities against U.S. interests; it is unlikely either one will be legally intimidated or publicly embarrassed.  Indictments in these instances appear to be placeholders until the U.S. can determine how to use them as leverage against either government, rather than any meaningful punitive response.

This means that the U.S. government still has no viable cyber deterrence strategy in place.  While there are some indications that it uses its cyber power to retaliate against countries launching cyber attacks (e.g., North Korea in 2017[xxi] and Iran in 2019[xxii]), they have not persuaded these states to alter how they use offensive cyber actions.  The longer the U.S. does not capitalize being the first country to levy cyber indictments, the more they will lose their effectiveness.   Worse, other countries may start to implicate U.S. cyber operations as a counter point.  Already, a Chinese company has accused the CIA of conducting 11 years’ worth of cyber espionage, identifying one potential actor by name.[xxiii]  The Chinese government has stopped short of levying its own indictment but it’s easy to see how this can quickly escalate to that end.

For the time being, cyber indictments are the United States go-to response for the most nefarious of cyber malfeasance, with the U.S. leading the way in levying such actions.  However, failing to build on any successes brought about by them, no matter how minor, risks indictments being a bark without bite, a dangerous undertaking given how the most authoritarian regimes respond to threats without consequence.

 

Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Endnotes:

[i] U.S. Department of Justice, “Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Report Agency Equifax,” February 10, 2020, accessed March 9, 2020, https://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking

[ii] U.S. Department of Justice, “U.S. Charges Five Chinese Military Hackers for Cyber Espionage against U.S. Corporations and a Labor Organization for Commercial Advantage,” May 19, 2014, accessed March 9, 2020, https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor

[iii] U.S. Department of Justice, “Two Chinese Hackers Associated with the Ministry of State Security with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information,” December 20, 2018, accessed March 9, 2020, https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion

[iv] U.S. Department of Justice, “Member of Sophisticated Chinese Hacking Group Indicted for a Series of Computer Intrusions, including 2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78 Million People,” May 9, 2019, accessed March 9, 2020, https://www.justice.gov/opa/pr/member-sophisticated-china-based-hacking-group-indicted-series-computer-intrusions-including

[v] Josh Fruhlinger, “The OPM Hack Explained: Bad Security Practices Meet China’s Captain America,” CSO, February 12, 2020, accessed March 9, 2020, https://www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html

[vi] Bill Gertz, “China Using OPM Records for Spying,” The Washington Free Beacon, April 11, 2019, accessed March 9, 2020, https://freebeacon.com/national-security/china-using-opm-records-for-spying/

[vii] Paul Mozur, “With Harsh Words China’s Military Denies It Hacked Equifax,” The New York Times, February 13, 2020, accessed March 9, 2020, https://www.nytimes.com/2020/02/13/business/china-equifax-deny.html

[viii] Gertz.

[ix] Gertz.

[x] U.S. Department of Justice, “Seven Iranian Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks against U.S. Financial Sector,” March 24, 2016, accessed March 9, 2020, https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged

[xi] U.S. Department of Justice, “Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of The Islamic Revolutionary Guard Corps,” March 23, 2018, accessed March 9, 2020, https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic

[xii] U.S. Department of Justice, “North Korean-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions,” September 6, 2018, accessed March 9, 2020, https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

[xiii] U.S. Department of Justice, “U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations,” October 4, 2018, accessed March 9, 2020, https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and

[xiv] U.S. Department of Justice, “Grand Jury Indicts 12 Russian Intelligence Officers for Hacking Offences Related to the 2016 Election,” July 13, 2018, accessed March 9, 2020, https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election

[xv] “Fact Sheet: President Xi Jinping’s State Visit to the White House,” September 25, 2015, accessed March 9, 2020, https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states

[xvi] David E. Sanger, “China Curb Cyberattacks on U.S. Interests, Report Finds,” The New York Times, June 20, 2016, accessed March 9, 2020, https://www.nytimes.com/2016/06/21/us/politics/china-us-cyber-spying.html

[xvii] Saheli Roy Choudhury, “Beijing Cracking Down on IP Theft Could Boost Investment in China, Former US Negotiator Says,” CNBC, January 16, 2020, accessed March 9, 2020, https://www.cnbc.com/2020/01/16/us-china-trade-deal-intellectual-property-protection-benefits-beijing.html

[xviii] “China to Raise Penalties on IP Theft in Trade War Compromise,” South China Morning Post, November 25, 2019, accessed March 9, 2020, https://www.scmp.com/tech/policy/article/3039232/china-raise-penalties-ip-theft-trade-war-compromise

[xix] U.S. Trade Numbers, Iran, https://www.ustradenumbers.com/country/iran/

[xx] U.S. Trade Numbers, Russia, https://www.ustradenumbers.com/country/russia/

[xxi] Alex Locke, “North Korea’s Embarrassing Missile Failure May Have Been to U.S. Cyber Sabotage,” Business Insider, April 17, 2017, accessed March 9, 2020, https://www.businessinsider.com/us-hack-north-korea-missile-system-2017-4

[xxii] Julian E. Barnes and Thomas Gibbons-Neff, “U.S. Carried Out Cyber Attacks on Iran,” The New York Times, June 22, 2019, accessed March 9, 2020, https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html

[xxiii] Zak Doffman, “CIA Hackers Accused of 11-Year Attack in New Chinese Cyber Report: This is What’s Behind It,” Forbes, March 3, 3030, accessed March 9, 2020, https://www.forbes.com/sites/zakdoffman/2020/03/03/new-chinese-cyber-report-just-accused-cia-of-11-year-attack-this-is-whats-behind-the-report/#30b14a5f57e6

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.