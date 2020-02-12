If not deterrence, what might be the purpose of these indictments instead?

Some have argued that one aim of the indictment strategy is to enforce a norm against state-sponsored theft of intellectual property carried out to support a nation’s commercial firms. The norm was articulated in President Barack Obama’s September 2015 meeting with Chinese President Xi Jinping, with each country agreeing that it would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” (This commitment was later endorsed by the G20.) The cyber agreement followed on the heels of the first ever U.S. indictment of Chinese People’s Liberation Army hackers, in 2014; many at the time credited the indictments with facilitating the establishment of the norm. In hindsight, however, the fact that China and other countries have continued their theft of U.S. commercial secrets with little penalty suggests that the cybertheft norm is not much of a norm at all.

Even if norm construction were the objective, the Equifax allegations do not obviously breach a standard that the United States has embraced. The 2015 U.S.-China agreement did not mention hacking for national-security purposes (as opposed to commercial benefits), and the U.S. government has hardly suggested that it would forgo stealing data to protect U.S. national security. Former Director of National Intelligence James Clapper illustrated this dilemma when discussing China’s 2015 breach of the Office of Personnel Management, which compromised background-investigation files on 22 million Americans. Clapper observed, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

To be sure, the Equifax charging documents allege that customer data held by the company constituted “proprietary business information.” But this does not mean that the Justice Department is treating this breach as a violation of the norm against cybertheft for commercial purposes. If anything, recent developments—including the ongoing national-security investigation into the Chinese company that owns TikTok—demonstrate that the U.S. government is treating personal data more and more as a “dual use” item with commercial and national-security value alike. As Attorney General William Barr put it, “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”

It is thus unlikely that the aim of the Equifax indictments is merely to restate the U.S. position on norms of acceptable state conduct in cyberspace. Nor is it plausible that the Justice Department would have sought this opportunity to articulate a new position that theft of personal data to this degree—in such massive quantities, with such expansive security and commercial implications—represents conduct that all countries (even the United States) should forswear.