15 July 2015

On the OPM Hack, Don’t Let China Off the Hook

art of the building of 'Unit 61398', a secretive Chinese military unit, is seen in the outskirts of Shanghai February 19, 2013. The unit is believed to be behind a series of hacking attacks, a U.S. computer security company said.

In the weeks since news broke of the extraordinary cyber hack of the Office of Personnel Management (OPM), presumably by China, the response by some American officials and commentators has been curious: begrudging respect for the theft of background data on tens of millions of Americans, guarded understanding, and even professional admiration. “Don’t blame the Chinese for the OPM hack,” former NSA and CIA Director Michael Hayden said, arguing that he “would not have thought twice” about seizing similar information from China if he had the chance. Director of National Intelligence James Clapper echoed the sentiment, saying at a recent conference, “you have to kind of salute the Chinese for what they did. . . . If we had the opportunity to do that [to them], I don’t think we’d hesitate for a minute.”


From the perspective of U.S. security interests, this excess of honesty is a strategic and tactical error. By portraying the OPM attack as acceptable in the rough-and-tumble world of great power politics, the United States is needlessly surrendering valuable arguments that, if properly advanced, could mitigate Chinese aggression in cyberspace and elsewhere. To that end, the U.S. government should do more, first, to distinguish its intelligence collection from the far more intrusive and unaccountable activities that constitute contemporary Chinese practice; second, call China to account for violating privacy norms in much the same way the international community has criticized U.S. practices since the Snowden leaks; and, third, leverage accepted international norms of behavior to check Chinese aggression on the web, on the seas, and beyond.

Let us be clear about the scope of China’s cyber espionage. In addition to the OPM breach, which resulted in the theft of personnel records for as many 21.5 million current, former, and prospective federal employees and contractors, knowledgeable sources also suspect China of hacking health-insurance providers Anthem and Premera Blue Cross and seizing health-care records of millions of Americans. These records reveal profoundly personal details about mental illnesses, drug and alcohol use, criminal histories, bankruptcies, personal contacts and relatives, Social Security numbers, and some fingerprints. With this information, observes U.S. Senator Ben Sasse, Beijing can threaten, intimidate, and blackmail literally millions of federal workers and their families.

As Benjamin Wittes of the Brookings Institution wrote, China is “almost certainly” creating “digital dossiers on people.” “It’s everything civil libertarians and privacy activists have been warning about for years,” Wittes said.

In addition to compiling files on millions of Americans who have no responsibility for or knowledge of Sino-American policy, Beijing’s spy agencies are also engaged in “a far-reaching industrial espionage campaign” that targets the intellectual property of “a swath of industries: biotechnology, telecommunications, and nanotechnology, as well as clean energy,” according to a lengthy report by Bloomberg. All told, China’s digital pilfering amounts to “probably the biggest transfer of wealth through theft and piracy in the history of mankind,” in the words of U.S. Senator Sheldon Whitehouse. As Hillary Clinton put it recently, China is “trying to hack into everything that doesn’t move.”

U.S. policymakers would be wise to emphasize that, despite their breadth and depth, America’s espionage activities are fundamentally different from China’s. While, as Wittes writes, Chinese hacking “is apparently conducted without minimization requirements, without court orders, or legislative oversight – indeed, without any publicly known rules,” American intelligence agencies operate within a legally and politically accountablesystem subject to extensive legislative and judicial oversight. Furthermore, U.S. intelligence agencies do not engage in economic espionage for the benefit of state-owned corporations, as China’s do. And, Clapper’s comments notwithstanding, there is no evidence that U.S. intelligence agencies collect medical records and significant personal information on tens of millions of people that have little to no foreign intelligence value in the traditional context. This is as it should be.

But the international ferment that followed the Snowden revelations focused not on the limitations and democratic accountability of American intelligence activities but on their alleged affront to international norms respecting individual privacy.

In particular, the United States – along with the United Kingdom – have come in for significant criticism for allegedly violating privacy rights articulated by a treaty known as the International Covenant on Civil and Political Rights, signed in 1966. Article 17 of the Covenant provides that “[n]o one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation,” and that “[e]veryone has the right to the protection of the law against such interference.” A September 2014 report by the United Nations’ Special Rapporteur for counter-terrorism and human rights criticized some of the surveillance programs described by the Snowden leaks as contravening this norm, concluding that, “[a]s an absolute minimum, article 17 requires States using mass surveillance technology to give a meaningful public account of the tangible benefits that accrue from its use,” and that the United States and the United Kingdom had failed to provide such an accounting.

These criticisms may be valid or invalid, but what is curious is that such a critique has been almost exclusivelyaimed at the United States and not at the Chinese, whose Orwellian cyber activities dwarf anything the United States has done. And while the U.S. signed and ratified the Covenant with reservations, including that the treaty is largely not self-executing and that U.S. domestic law remains supreme, China has signed but not ratified it. Some groups have rightly urged China to do so, and the United States should call on China to ratify it, too.

Instead of tipping its hat to China’s security services for the OPM hack, Washington needs to call Beijing to equal account to these international law norms. While the hack, standing alone, may not constitute an armed attack giving rise to the right of proportionate self-defense under international law, at the least, Washington should openly reject the moral equivalency that treats China’s actions as par-for-the-course in global affairs. It should speak out against the double standard where American intelligence agencies – which operate under greater scrutiny, conduct less intrusive collection, and respect more rights – are skewered, while Chinese agencies – which operate without any accountability and conduct more invasive activities – escape censure. In the cyber arena, the United States should insist that all powers are held to uniform terms.

Such a stance may yield positive results. Scholar Peter Mattis has written recently that earlier political blowback against overreach by China’s spies compelled Beijing to adopt a risk-averse intelligence policy. Only in the past ten years or so has it become more aggressive, in part because “Chinese leaders may not think China and its peaceful development project face significant international consequences for its intelligence operations abroad,” Mattis posits. It may well be that, if faced with stronger international reproach, Beijing will moderate its policies.

A more explicit effort to hold China to international privacy norms should be part of a larger endeavor to apply international standards of behavior to China to check its often brazen actions. For instance, China’s ongoing efforts to turn the South China Sea into the “Chinese Caribbean” by constructing islands, deploying its navy, and claiming disputed territory, has driven some alarmed neighbors to international legal forums to press their legitimate territorial claims. In early July, for example, the Philippines brought a claim against China under the United Nations Convention of the Law of the Sea to the Permanent Court of Arbitration in the Hague after the Chinese navy took control of a fishing area that lies within the Philippines’ exclusive economic zone. The court has yet to rule on the case, but such efforts should continue by the Philippines and other claimants in order to slow Chinese revanchism and to hold China to the same rules of behavior as other states in the international system.

We live in a new era in which the potential for surveillance both exists at a grander scale and is subject to greater oversight and accountability than ever before – at least in the West. To level the playing field, the United States should distinguish its intelligence collection from China’s and insist that global norms apply as well to Beijing’s uniquely invasive intelligence activities. Calling on China to abide by international standards online and off could amount to more than just tough talk. Such pressure may not only help deter some of China’s most flagrant conduct, but it may also further the development of a rules-based global order in the digital age.

Matthew F. Ferraro (@MatthewFFerraro) is an attorney and former intelligence officer. The views expressed here are his own.

No comments: