On Friday September 25, Presidents Obama and Xi announced a deal between the United States and China limiting “economic cyberespionage.” According to the Washington Post story:
The formulation reached, and reiterated by the two leaders, said that “neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”
There has been a lot of discussion and opinion about the merits of this deal, primarily about its enforceability. Proponents say that although the deal is not perfect, it is a step in the right direction. Critics argue that it will not be honored and that the U.S. should resort to sanctions, directly impacting China at a time when their economy is already struggling.
One aspect of this and related stories that has been under-reported is the rationale for the very careful wording of “economic cyberespionage” and why this distinction is both important and difficult. At a hearing of the House Permanent Select Committee on Intelligence on September 10, Director of National Intelligence James Clapper cautioned against sweeping pronouncements and policy actions related to cyberespionage. As the Snowden leaks indicated, the U.S. also engages in intelligence-gathering via cyberspace, as do essentially all countries, and these activities are not prohibited under the International Laws of War, the most applicable legal framework. While espionage can certainly be prosecuted under the domestic laws of various countries this is almost never feasible in the case of cyberespionage (one recent counter-example is last year’s indictment of five Chinese military personnel for hacking).
But if mere cyberespionage is not sufficient grounds, how can we protest the large-scale theft of intellectual property from U.S. based companies? The distinction is “economic cyberespionage” where the definition is carefully laid out in the official statement: “cyber-enabled theft of intellectual property…for commercial advantage.” Interestingly, the recent theft of OPM data which caused much of the current commotion and is certainly a very serious national security breach, probably fits the definition of plain old cyberespionage, not economic cyberespionage, which increases the level of consternation all around (and may be why the administration reversed course on public blame of China over this incident).
Unfortunately in China the distinction is often murky. Wikipedia, for example, provides a long list of Government-Owned Companies of China; other sources estimate that perhaps 20-30,000 Chinese companies are directly owned by the People’s Liberation Army (PLA). So is a piece of information gathered by the PLA, that finds its way to a commercial firm owned by them, “economic” or “cyberespionage”? Both the law and the common understanding of these principles for companies and nation-states operating in cyberspace are evolving rapidly, with many issues still unsettled. The fact that they are openly on the table and the subject of Presidential level agreements is surely a step forward.