8 April 2020

Evolutions in the U.S. Chinese-Hacking Indictment Strategy

By Jakob Bund

On the heels of the indictment of a China-backed hacking group in December 2018, Jack Goldsmith and Robert Williams presented a compelling case that U.S. attempts to leverage legal action against Chinese hackers affiliated with the country’s security and defense organizations had failed to deter Chinese theft of intellectual property and trade secrets. Noting the difficulty of assessing the effectiveness of the indictment strategy conclusively, Goldsmith and Williams pointed out that a lasting deterrence effect had not materialized and argued that, without the ability to redress the called-out cyber intrusions, indictments might give rise to impressions of weakness and prove self-defeating.

The indictment strategy originated in the criminal charges of economic espionage against five officers of China’s People’s Liberation Army (PLA) announced in 2014. At best, it succeeded in brokering a temporary reprieve in PLA-orchestrated cyber espionage operations. Following organizational restructuring of the PLA in early 2016, operations resumed under China’s Ministry of State Security, while a surge in Chinese direct investment and business acquisitions in the U.S. and across Europe opened up alternative channels by which China could gain access to foreign technology and know-how.


In February, the Department of Justice unsealed a new indictment of four PLA service members, alleging their involvement in the breach of consumer credit reporting agency Equifax and the theft of proprietary business information. A comparative reading of the 2014 and 2020 PLA indictments suggests the United States’s use of indictments has evolved into a differentiated system that pursues a range of independent objectives with audiences beyond China’s leadership. With this in mind, it’s worth reevaluating the merits of the indictment strategy.

The 2014 PLA indictment set the foundation for a cumulative signaling campaign of concerted follow-up actions focused on establishing a normative difference between espionage conducted for competitive advantage and espionage for national security purposes. And the U.S. was willing to accept friction in relations with China in order to make this point. According to then-Attorney General Eric Holder, the case was intended to “serve as a wake-up call to the seriousness of the ongoing cyber threat.”

This step was supported by a sustained campaign of consistent signaling, including credible communication on imposing further costs. Just ahead of the 2015 summit between President Obama and President Xi Jinping, unnamed U.S. government officials floated the possibility that the U.S. might adopt sanctions in response to China’s continued cyber-enabled economic espionage.

This threat of sanctions was combined with signposting for an off-ramp: Chinese commitment to the proscription of commercially motivated economic espionage as sought by the United States. Obama and Xi agreed on a high-level pledge along these lines at their 2015 summit, in which both governments declared not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” The Obama-Xi agreement marked China’s recognition of the normative distinction between commercially and security-motivated espionage—though the Chinese government did not always abide by it.

Attorney General Jeff Sessions and Acting Secretary of Homeland Security Elaine Duke renewed this commitment with their Chinese counterparts during the First U.S.-China Law Enforcement and Cybersecurity Dialogue in October 2017. On subsequent occasions, the U.S. has publicly commented on adherence to the agreement and called out China for violating its commitments, including as part of the U.S. trade representative’s investigations into China’s policy and practices under Section 301 of the Trade Act.

In a similarly cumulative approach that draws combined strength from a series of coordinated steps, the 2020 PLA indictment ties into existing efforts. At the same time, different aspects of the indictment contribute to individual objectives. This broadening set of goals underscores the diversification that the indictment strategy has undergone since 2014.

The Justice Department press release announcing the indictment made a point of reasserting the U.S. government’s ability to attribute the attack and detailed the lengths to which the attackers had gone to evade detection, “rout[ing] traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, us[ing] encrypted communication channels within Equifax’s network to blend in with normal network activity, and delet[ing] compressed files and wip[ing] log files on a daily basis in an effort to eliminate records of their activity.”

With U.S.-China relations in their current state, this “attribute because we can” component of the indictment carries important signaling value in itself. As a range of Chinese technology firms face severe restrictions on their access to critical components from U.S. suppliers following the imposition of onerous export licensing requirements by the U.S. Department of Commerce, espionage activities are likely to ramp up to support efforts at developing domestic supply chain alternatives. In an atmosphere of (select) economic decoupling, where the U.S. is curtailing its economic leverage over China by reducing the country’s access to essential building blocks of Chinese electronics, China may sense it has less to lose from doubling down on the illicit acquisition of intellectual property.

More so than for any of the previous indictments, timing figures as a central factor, if not motive, in the 2020 indictment. Amid rising tensions, the indictment makes a clear point to China that there is little reason for confidence that future attempts at theft will go undetected. The unequivocal message is that these attempts will be uncovered and linked back to China—possibly accompanied by more punitive follow-ups than a nonactionable indictment. In a climate of reduced restraint on gray-space activity that seeks to exploit the full spectrum of coercive measures right up to the threshold of an armed attack, the same message also cautions against the use of cyber capabilities for more destructive or disruptive purposes.

In this regard, it is worth remembering that indictments go beyond the attribution of an operation to individual actors and their sponsoring or authorizing organizations. Indictments indicate a willingness to share evidence and accept, at least in principle, the possibility of giving up sources and methods in the process. According to recent remarks by Assistant Attorney General for National Security John Demers at the RSA Conference, indictments are the result of confidence in the ability to “prove the allegations of that indictment beyond a reasonable doubt, in court, using only unclassified, admissible evidence to twelve people who are not familiar with the subject matter.” Indictments are a testament to the government’s readiness to release evidence and a demonstration of confidence in the strength of that evidence—raising the credibility of attribution findings, encouraging strategic partners to participate in joint attribution and reinforcing norms of attribution.

The United States’s willingness to bring an indictment is also part of an effort to provide reassurance to strategic partners about the strength of the underlying evidence and animate them to join attribution based on intelligence shared by the U.S. These efforts build on the assumption that a broader set of U.S. allies and partners is prepared to call out malicious actions than has the capabilities to conduct independent investigations to identify perpetrators. In December 2018, for instance, the Justice Department unsealed charges against two Chinese hackers, allegedly affiliated with the Ministry of State Security, for cyber-enabled theft of intellectual property and confidential business information. The announcement of the indictment was followed by supporting statements from at least 13 additional governments—either joining in the attribution or more broadly expressing concerns about China’s malicious cyber operations—including at least six countries targeted by the ministry-backed group in the same campaign.

While the 2014 PLA indictment was directed squarely at China’s leadership, the 2020 indictment addresses sponsors of peacetime cyberattacks more broadly and speaks to global ambitions to hold threat actors accountable. The Justice Department announcement of the charges against the PLA service members provided attribution by indictment. Continuity in signaling in a wider global context means building a consistent practice of attributing culpability and, where possible, indicting the actors responsible for significant cyberattacks. In this vein, the attribution aspect of the 2020 indictment continues the lineage of prosecuting illegal and harmful cyber-enabled operations carried out by adversaries linked to the defense and intelligence establishments of Iran (March 2016, March 2018), Russia (March 2017, February 2018, July 2018) and North Korea (September 2018). Indictments against China line up with this broader body of legal action and seek to reinforce behavioral standards, against which other potential threat actors can be held accountable.

Demers noted in March that “this is not a Justice Department by itself approach to solving this problem,” but a step to enable other agencies to leverage their tools, especially in cases where indictments are unlikely to proceed to court. Follow-up options of this kind include Commerce Department restrictions on access to U.S. suppliers, sanctions by the Treasury Department on companies that benefited from cyber-enabled theft and/or any individual involved in the operation, as well as efforts by the State Department to broker normative commitments as a basis for leveraging diplomatic pressure.

Depending on the victims of the respective operations, indictments can also communicate the seriousness of the threat to the private sector domestically and in allied countries. Details published in the indictments raise awareness for a wider pool of potential targets about the scope and pervasiveness of the espionage efforts. Targeting high-profile industry representatives that run business models intensive in intellectual property and proprietary data, the operations covered in the 2014 and 2020 PLA indictments certainly fall into this category.

The Defense Department has further recognized the importance of criminal accusations for establishing state practice and the associated support for the department’s “defend forward” doctrine. Deputy Assistant Secretary of Defense for Cyber Policy Thomas Wingfield emphasized this point, stating that “you need to come out and say ‘and therefore we’re shutting down this group, therefore we’re not permitting that kind of intrusions’.” U.S. Cyber Command recently conducted its first publicly reported operation outside of an armed conflict based on this doctrine: Code-named “Synthetic Theology,” the operation aimed to degrade Russia’s capabilities to spread disinformation in the immediate run-up to and aftermath of the 2018 U.S. midterm elections. Building on the legal foundation set with the February 2018 indictment of the Internet Research Agency troll farm and key figures affiliated with the organization, the operation ratcheted up the cost for transgressive behavior and carried the momentum of the 2018 indictment forward.

Any decision to file an indictment or move forward with attribution will also need to consider the cost of inaction and seeming acquiescence to illegal activity. Even in the absence of any other positive gains or follow-up measures, indictments and attribution statements protect against inconsistency in policy responses that might otherwise weaken precedent and hollow out expectations of responsible state behavior. Inconsistent signaling influences adversaries’ strategic calculus in equal measure and risks convincing an adversary that there are no predictable consequences to going on the offensive.

Reporting by the cybersecurity firm CrowdStrike points to an additional strength inherent in the revelation of tactics, techniques and procedures associated with indictments of advanced persistent threat (APT) groups. More than any other actor—notably including indicted groups from Iran, Russia and North Korea—Chinese APT groups have shown a marked responsiveness to indictments. APT1, APT3 and APT10 ceased operations, at least in their original composition, after criminal accusations detailed their operations. This pronounced impact on Chinese threat actors offers empirical support for the particular value of pursuing an indictment strategy with China and demonstrates its efficacy, at a minimum in slowing down operational tempo by forcing groups to retool and reorganize. In this vein, indictments contribute a low-escalation measure to the toolkit for disrupting operations of the specific Chinese threat actors targeted by an indictment. Along with possible operations aimed at directly taking down attack infrastructure of Chinese APTs, disruptions achieved by indictments focus on the organizational aspects and coordination capability of Chinese APTs. These capabilities need to be rebuilt as the publication of operational details pushes individual APTs to regroup. In this view, indictments provide a cost-effective way to use endeavors of Chinese threat actors to avoid detection against these groups, while managing the risks of spurring a retaliatory spiral.

The expanded ambitions of the U.S. indictment strategy have rendered effective signaling an ever more complex endeavor. In addressing multiple audiences and objectives, an evolved indictment strategy faces new challenges: It must avoid sending mixed or confusing signals. Taking account of the widened set of objectives, the government must integrate individual signaling efforts to build momentum and achieve the decisive cumulative effect.

With multiple objectives and audiences simultaneously in play, any meaningful effects on threat actor behavior are conditional on concerted and clearly differentiated follow-on activity to ensure that the respective messages are received as intended. Any measures of success will need to manage expectations for the indictment strategy across a broad band of objectives and consider the cost of inaction and of breaking from practice the United States has sought to establish. Engagement efforts by the Justice and Defense departments, such as the China Initiative Conference hosted by the Center for Strategic and International Studies and high-level participation in the RSA Conference, have provided important commentary and opportunity to describe actions in context.

In an environment governed by the near absence of adversary communication that seeks to reach beyond a mutual sense of the zero-sum tendencies conditioned by great power competition, risks of miscalculation and escalation are a constant companion. Under these circumstances, continuity and consistency in signaling facilitated through indictments can fill an important destabilizing vacuum, reduce the space for strategic ambiguity for adversaries and establish behavioral practice that can breathe life into norms.

No comments: