This is not to deny the legitimacy of enforcing U.S. domestic laws that prohibit “computer fraud and abuse” or “economic espionage.” But given the dim chances that this approach to enforcement will succeed in curbing Chinese behavior, we are left to wonder what other purposes (aside from deterrence) the indictments are intended to serve.
One possibility is that the indictment strategy may be working in imperceptible ways in conjunction with the United States’ new offensive posture in cyberspace. The unclassified summary of the Department of Defense’s 2018 cyber strategy pledges to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” This turn of phrase may signal an effort to shift from deterrence toward disrupting and degrading the capabilities of malicious actors. The “defend forward” strategy was countenanced by Congress in a statute that authorizes “appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter” an active campaign of cyberattacks against the United States committed by one of four nations, including China.
Read: China’s spies are on the offensive
It is conceivable that Justice Department hacking indictments provide a legal predicate that aids the Pentagon (through U.S. Cyber Command) in certifying the legality of forward-defense options in response to a “campaign of attacks.” Attribution of cyber operations is a notoriously complex and difficult enterprise. But if prosecutors can convince an impartial grand jury about Chinese cyber intrusions against U.S. interests, that public record could help justify the decision of defense officials to green-light disruptive operations in Chinese networks. Such an approach would align with former Assistant Attorney General John Carlin’s 2016 remark that “in some cases … a prosecution may not be the right option, but attribution [by the Justice Department] opens the door for sanctions, disruption operations and bilateral diplomacy.”
Even if this speculation is correct, however, it remains unclear why attribution must be done publicly, with the attendant risks that the U.S. government will appear feckless to third parties and invite further malicious activity on U.S. networks. Perhaps indictments are intended to lay the groundwork to justify future sanctions against China should the U.S. administration choose to exercise this authority as it has in connection with cyber activity by Iran, North Korea, and Russia. But sanctions would leave U.S. companies that operate in China vulnerable to retaliation at a delicate moment in bilateral trade relations, which may explain why they have never been triggered.
Or maybe indictments serve a more precise signaling function by temporally linking U.S. “disrupt and degrade” operations to the (indicted) activities they aim to counter. The United States and China are immersed in a cybersecurity dilemma in which all sides are at pains to distinguish acts of preemption and retaliation. Concepts of cyber offense and defense are blurry at best. Thus, the signaling effect of an indictment followed closely by a disruptive cyberattack could potentially help avoid misperception and mitigate escalation risks. But the opposite could also be true. If perceived by China as part of a coordinated “whole of government” effort to thwart China’s rise, indictment plus disruption could aggravate the dangers of an escalation spiral. Has the U.S. factored these considerations into its strategy?