Two years ago, a senior official from the State Department and one from the Pentagon held an extraordinary four-hour meeting with their counterparts in Beijing.
For the first time, the U.S. government confronted the Chinese government with proof that American companies were being hacked by the People’s Liberation Army to benefit Chinese firms.
The officials presented extensive case studies of three companies in defense and other industries whose computers had been penetrated by the PLA, with details about what data was stolen, when and how.
The reaction? “Shellshocked,” said one former official briefed on the meeting. “They said something like, ‘This is outrageous!’ ” a second former official said. “ ‘You’re here and you accuse us of such a thing? We don’t do this.’ ”
There was a similar response Monday after Attorney General Eric H. Holder Jr. announced the indictments of five PLA members on charges of hacking to benefit Chinese industry.
The Justice Department’s decision to charge Chinese officers was approved at high levels of government and was undertaken, department officials say, because talks had brought little progress. Both efforts — diplomacy and criminal prosecution — are part of a broader, previously undisclosed strategy by the Obama administration to hold China accountable for what officials say is a growing campaign of commercial cyberspying.
“We’re talking about a major change in administration strategy and policy,” said a third former official who, like the others, spoke on the condition of anonymity to discuss administration deliberations.
The approach dates to early 2012. At a White House meeting, “the message was sent from the president himself,” one senior U.S. official said. “This was something that was very important, and he wanted options to push back on the theft of intellectual property by the Chinese.”
The result was a series of measures taken by not only Justice and State, but also the departments of Defense and Homeland Security. The Pentagon, for instance, began last year to conduct defensive cyber-
operations outside its networks to deter Chinese hackers. And a decision was made to confront the Chinese in public and private about their activities.
Whether that strategy will succeed is unclear. China on Monday pulled out of cybersecurity talks scheduled for July. Some commentators, who point out that Beijing will never hand over the accused hackers, are skeptical that the indictments will bring change. Justice Department officials are not fazed. They say the charges are the first of what will become “a new normal.”
On Thursday, Assistant Attorney General John Carlin said criminal charges can justify economic sanctions. They can facilitate diplomacy as officials lay out evidence of cybertheft, and they can lead other governments to take action, he said.
“In the end, indictments alone are not going to solve the problem,” said James Steinberg, a former deputy secretary of state. “The path forward,” said Steinberg, now dean of Syracuse University’s Maxwell School, should be a cooperative way to solve the problem, “rather than tit for tat.”
To understand why the charges were brought, it helps to go back to the aftermath of the meeting in Beijing two years ago.
China’s blunt denial — seen by the United States as a willful refusal to face facts — led to an administration decision to raise the cybersecurity issue at every high-level meeting with the Chinese government, current and former officials said.
In February 2013, DHS for the first time initiated a mass distribution of Internet Protocol addresses and signatures linked to PLA hackers to help companies combat the cyberthreat. The release coincided with the publication of a major report by Mandiant, a cybersecurity company, that exposed a particular hacking group in the PLA: Unit 61398.
The next month, then-national security adviser Tom Donilon,
in a speech at the Asia Society, called on the Chinese to halt the cyber-economic espionage and engage in a dialogue to set norms of behavior in cyberspace. The Chinese, he said, must “take serious steps to investigate” allegations of commercial hacking. It was the first calling out of China by a senior administration official.
That set the stage for what was to be a frank meeting between President Obama and Chinese President Xi Jinping in June. As a result of that meeting in Rancho Mirage, Calif., China agreed to hold regular high-level talks on cybersecurity, which was now considered one of the top priorities in the bilateral relationship.
Two days before the meeting, the first of a series of disclosures about National Security Agency surveillance, based on leaks by former agency contractor Edward Snowden, appeared on the Guardian’s Web site. The revelations, which unspooled over a number of months, also focused attention on NSA hacking of Chinese companies and other entities.
The disclosures “made the foreign policy aspect of talking about cyber and cyber-operations much more difficult,” a senior defense official said. “Because when we complain about military organizations hacking into our private-sector companies, they would say, ‘Well, the United States is actually the king of all hacking. So who are you to talk to us about illegal hacking?’ ”
Officials from Obama on down consistently draw a line between spying for national security and foreign intelligence purposes, and spying on companies to give a competitive advantage to one’s own businesses. The Chinese do not see the difference and point out that the U.S. definition of national security includes securing advantage in trade negotiations and on other international economic issues.
Even as officials were pursuing talks, the Justice Department had begun to focus on ways it might bring criminal cases against foreign government officials for cyber-industrial espionage. Carlin, then principal deputy in Justice’s national security division, began an initiative in 2012 to train national security attorneys to investigate hacking operations carried out by foreign governments.
Improved techniques and cooperation among agencies led to breakthroughs in achieving “attribution,” or the art of concluding with high confidence who was hacking into a victim’s computer. Still, building each case took time. “Do you have sufficiently strong evidence to pursue it?” said the third former official.
Meanwhile, talks continued. In December, State Department Cyber Coordinator Chris Painter, who presented the case studies to the Chinese in 2012, and Pentagon cyber official Eric Rosenbach had meetings with their counterparts in Beijing. The U.S. officials shared cyber-doctrine in a bid to reduce misunderstandings and build confidence. But the Chinese did not reciprocate.
On Monday, officials unsealed the indictments.
Beijing called the charges “purely fictitious, extremely absurd.” The reaction was not unanticipated, a senior administration official said. “I don’t think that there was any way for us to proceed and show our seriousness without experiencing some friction in the relationship,” he said. “While we are very disappointed that the Chinese have canceled that next discussion, we look forward to being able to continue the dialogue when the Chinese are ready.”