The Justice Department raised eyebrows on Monday when it unveiled charges against four members of China’s People’s Liberation Army for hacking into the credit-reporting agency Equifax and stealing sensitive information on 147 million Americans. The charges are the latest in a campaign of indictments against Chinese-government-linked hackers that dates to 2014 but has ramped up considerably since 2017, the year the Equifax breach took place. Like the defendants in several prior hacking indictments, the men whose identities were revealed to the world this week are based in China and almost certainly will never appear in a U.S. court to stand trial. Taken alone, the indictments are a hopelessly anemic response to one of the largest personal-data breaches ever recorded.
The bigger picture doesn’t look much better. As the Harvard law professor Jack Goldsmith and I have argued before, if deterrence is the measure of success, the United States’ Chinese-hacking indictment strategy has all the earmarks of a spectacular failure. A raft of media and government reports suggests that China’s state-sponsored cybertheft has not meaningfully diminished in response to the U.S. indictment campaign. This shouldn’t come as a surprise: The costs to China of being “named and shamed” are almost certainly dwarfed by the billions of dollars of value obtained from pilfering U.S. technologies and the untold intelligence benefits of cultivating a massive database on American citizens.
If not deterrence, what might be the purpose of these indictments instead?
Some have argued that one aim of the indictment strategy is to enforce a norm against state-sponsored theft of intellectual property carried out to support a nation’s commercial firms. The norm was articulated in President Barack Obama’s September 2015 meeting with Chinese President Xi Jinping, with each country agreeing that it would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” (This commitment was later endorsed by the G20.) The cyber agreement followed on the heels of the first ever U.S. indictment of Chinese People’s Liberation Army hackers, in 2014; many at the time credited the indictments with facilitating the establishment of the norm. In hindsight, however, the fact that China and other countries have continued their theft of U.S. commercial secrets with little penalty suggests that the cybertheft norm is not much of a norm at all.
Even if norm construction were the objective, the Equifax allegations do not obviously breach a standard that the United States has embraced. The 2015 U.S.-China agreement did not mention hacking for national-security purposes (as opposed to commercial benefits), and the U.S. government has hardly suggested that it would forgo stealing data to protect U.S. national security. Former Director of National Intelligence James Clapper illustrated this dilemma when discussing China’s 2015 breach of the Office of Personnel Management, which compromised background-investigation files on 22 million Americans. Clapper observed, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
To be sure, the Equifax charging documents allege that customer data held by the company constituted “proprietary business information.” But this does not mean that the Justice Department is treating this breach as a violation of the norm against cybertheft for commercial purposes. If anything, recent developments—including the ongoing national-security investigation into the Chinese company that owns TikTok—demonstrate that the U.S. government is treating personal data more and more as a “dual use” item with commercial and national-security value alike. As Attorney General William Barr put it, “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
It is thus unlikely that the aim of the Equifax indictments is merely to restate the U.S. position on norms of acceptable state conduct in cyberspace. Nor is it plausible that the Justice Department would have sought this opportunity to articulate a new position that theft of personal data to this degree—in such massive quantities, with such expansive security and commercial implications—represents conduct that all countries (even the United States) should forswear.
This is not to deny the legitimacy of enforcing U.S. domestic laws that prohibit “computer fraud and abuse” or “economic espionage.” But given the dim chances that this approach to enforcement will succeed in curbing Chinese behavior, we are left to wonder what other purposes (aside from deterrence) the indictments are intended to serve.
One possibility is that the indictment strategy may be working in imperceptible ways in conjunction with the United States’ new offensive posture in cyberspace. The unclassified summary of the Department of Defense’s 2018 cyber strategy pledges to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” This turn of phrase may signal an effort to shift from deterrence toward disrupting and degrading the capabilities of malicious actors. The “defend forward” strategy was countenanced by Congress in a statute that authorizes “appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter” an active campaign of cyberattacks against the United States committed by one of four nations, including China.
It is conceivable that Justice Department hacking indictments provide a legal predicate that aids the Pentagon (through U.S. Cyber Command) in certifying the legality of forward-defense options in response to a “campaign of attacks.” Attribution of cyber operations is a notoriously complex and difficult enterprise. But if prosecutors can convince an impartial grand jury about Chinese cyber intrusions against U.S. interests, that public record could help justify the decision of defense officials to green-light disruptive operations in Chinese networks. Such an approach would align with former Assistant Attorney General John Carlin’s 2016 remark that “in some cases … a prosecution may not be the right option, but attribution [by the Justice Department] opens the door for sanctions, disruption operations and bilateral diplomacy.”
Even if this speculation is correct, however, it remains unclear why attribution must be done publicly, with the attendant risks that the U.S. government will appear feckless to third parties and invite further malicious activity on U.S. networks. Perhaps indictments are intended to lay the groundwork to justify future sanctions against China should the U.S. administration choose to exercise this authority as it has in connection with cyber activity by Iran, North Korea, and Russia. But sanctions would leave U.S. companies that operate in China vulnerable to retaliation at a delicate moment in bilateral trade relations, which may explain why they have never been triggered.
Or maybe indictments serve a more precise signaling function by temporally linking U.S. “disrupt and degrade” operations to the (indicted) activities they aim to counter. The United States and China are immersed in a cybersecurity dilemma in which all sides are at pains to distinguish acts of preemption and retaliation. Concepts of cyber offense and defense are blurry at best. Thus, the signaling effect of an indictment followed closely by a disruptive cyberattack could potentially help avoid misperception and mitigate escalation risks. But the opposite could also be true. If perceived by China as part of a coordinated “whole of government” effort to thwart China’s rise, indictment plus disruption could aggravate the dangers of an escalation spiral. Has the U.S. factored these considerations into its strategy?
Ultimately, efforts to discern the calculus behind the Chinese-hacking indictments are necessarily speculative and perhaps less illuminating than the simplest version of reality: that indictments are one of the few tools a vulnerable United States is willing to employ to show the public that it is “doing something” about persistent cyberthreats. It is fair to wonder whether and when the resources being devoted to this effort will be complemented by equally energetic policies to incentivize companies to adopt the basic cyber hygiene that could have prevented the Equifax breach in the first place.