A Foundation for Defense of Democracies (FDD) report reviews China’s use of cyber tools to accomplish its strategic objectives and asks what the U.S. should do to counter this developing threat.
The United States and China are engaged in an increasingly intense political, economic, and military competition spanning not only throughout East Asia, but also around the globe. In this competition, China uses cyber means to enhance its strategic position vis-à-vis the United States and its allies and partners.
Report author Zack Cooper writes that China is engaged in wide-ranging cyber intrusions and network exploitations causing massive damage to U.S. and other foreign firms annually. “This cyber campaign is an integral part of China’s broader security strategy and has undermined both American prosperity and security,” Cooper says. “And yet, it has not garnered the public attention warranted by its severity.”
China is estimated to be responsible for 50 to 80 percent of cross-border intellectual property theft worldwide, and over 90 percent of cyber-enabled economic espionage in the United States. Various study groups have estimated that Chinese intellectual property theft could cost over $300 billion annually to the U.S. economy. The U.S.-China Economic and Security Review Commission has concluded that Chinese espionage comprises the single greatest threat to U.S. technology.
The report finds Chinese espionage has not only damaged U.S. companies, but has also helped China save on research and development expenses while catching up in several critical industries. The cumulative effect of China’s cyber-enabled economic espionage has been to “erode the United States’ long term position as a world leader in [science and technology] innovation and competitiveness,” writes Cooper. “Perhaps most worryingly, China is reversing many of the U.S. military’s technical and industrial advantages and creating potential vulnerabilities should a conflict arise.”
The Defense Science Board has warned that “for at least the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the United States’ ability to defend key critical infrastructures.”
China has also used cyber attacks as a tool of economic coercion to pressure governments and private companies to change their policies. In 2017, for example, after Washington and Seoul announced the deployment of the U.S. THAAD missile defense system to South Korea, the private Korean company on whose land the system was to be positioned suffered significant cyber attacks from China. The FDD report finds that since 2015 the overall number of detected network breaches from China appears to have declined, but experts assess that Chinese cyber activity is “more focused, calculated and still successful in compromising corporate networks.”
Although the response from the United States and its allies and partners has heretofore been inadequate, the post-2015 change in Chinese cyber activities indicates that concerted pressure can alter Beijing’s behavior. A sustained campaign to demonstrate to Beijing that its malicious cyber activities will impair U.S.-China relations is likely the only way to convince the Chinese Communist Party to alter its behavior.
To develop effective policies to protect American innovation and the industrial base as well as change Chinese behavior, Cooper writes that U.S. policymakers must better understand Chinese decision-making regarding cyber-enabled economic activities.
Recent efforts by the U.S. Congress and the executive branch have put in place several recommendations, especially those related to reviewing foreign investment for national security risks. The Foreign Investment Risk Review Modernization Act, for example, which was attached to the FY2019 National Defense Authorization Act, will make the U.S. government’s approach to foreign investment more careful and systematic. The Trump administration has praised the legislation, with President Trump noting “such legislation will provide additional tools to combat the predatory investment practices that threaten our critical technology leadership, national security, and future economic prosperity.” The Commerce Department is also reviewing export controls processes in light of recent incidents of industrial espionage and technology leakage.
While Washington is taking a tougher pubic stance against Beijing, much work remains. Cooper writes that unless U.S. leaders prioritize Chinese cyber-enabled economic espionage and coercion, Beijing is unlikely to curb these activities. As a first step, Cooper suggests the U.S. government works to publicize Chinese activities, incentivize private companies to make attacks public so that there can be accurate assessments of the damage, and explain how each piece fits into a larger whole.
Public-private partnerships provide many opportunities for strengthening protections in both government and the private sector. For example, the Defense Industrial Base Cyber Security Program allows private sector contractors to report to the Department of Defense when they suffer cyber attacks. This information is shared with other defense contractors, allowing them to continually update their systems and protect against intellectual property theft.
“The U.S. government should also work more closely with private companies to help them detect suspicious activity, including through advice on personnel hiring and background screening,” Cooper writes. “Companies should know how to report suspicious activity to law enforcement to more quickly identify suspicious individuals that may be facilitating intellectual property theft.”
The U.S. government should, he adds, also maintain a list of Chinese companies that steal U.S. intellectual property or have used stolen intellectual property. “Putting public pressure on these companies for industrial espionage would make them pay for continuing malicious behavior,” he said. “It would also build awareness and encourage greater debate in the public and expert community, as well as warn the private sector of the risks posed by specific entities.”