So have they or haven’t they?
Ever since President Obama and Chinese President Xi Jinping agreed last September that commercial cyberespionage for profit is off limits, experts and policymakers have asked one burning question: Has Beijing really stopped or changed its operations?
On Tuesday, US Assistant Attorney General John Carlin confirmed there had been drop in Chinese commercial cyberespionage, but added a needed note of caution: "There is a debate as to how long lasting it might be, but there has been a change."
Mr. Carlin’s hand may have been forced by a report last week by cybersecurity firm FireEye on a staggering decline: from a plateau of around 60 to 70 compromises per month by Chinese-linked groups, the number has dropped to about five per month just two years later.
The decline started in mid-2014, following the US indictment of Chinese military hackers in May 2014 and really plummeted in July 2015, just after the Obama administration finalized sanction authority to use against China and in the run-up for President Xi’s visit.
It appears now operations are shifting from the nonstate spies in favor of state-run professional intelligence teams with superior tradecraft. The threat "is less voluminous but more focused, calculated, and still successful in compromising corporate networks," in FireEye’s words.
So, should we consider this a success or a failure?
It's certainly a win for the political and diplomatic process. After years of tripping over itself, the US government finally started speaking publicly about something we decided to be a critical national security issue.
The US unilaterally took a stand against international commercial cyberespionage and by some miracle (and hard diplomacy) got the United Nations Group of Government Experts, and the G-20 to agree. Even China's head of state jumped in with personal and public commitments in support of the US position. In diplomacy, that's a result.
But in a larger sense, does a decrease in volume but increase in sophistication mean the United States is better off?
There are clear security upsides to this apparent new normal: A reduction in the volume of Chinese cyberspying means that intellectual property from dozens of corporations won't be flying over the wires back Beijing. Those companies now don’t have to hire cybersecurity companies to try and kick out Chinese spies.
As I wrote last month, if the US-China cyberespionage agreement "reduces Chinese espionage by only 5 percent it will be probably the single most effective countermeasure we’ve ever taken” and will “cost us almost literally nothing compared to the tens of billions of dollars” spent for programs such as the Comprehensive National Cybersecurity Initiative, the Obama administration's plan to safeguard America's digital networks.
Even so, I may have underestimated the impact: FireEye reported not a drop of 5 percent but more than 90 percent. What other solution have we ever implemented for such success at so little cost?
Moreover, it should be easier for Xi and the Communist Party to keep control over professional spies compared to large numbers of amateurs banging around US networks. This should tamp down chances for escalation in the US-China cyber relationship.
Third, future US countermeasures could be even more effective. With fewer Chinese economic spies, our indictments or sanctions can target the fewer fish in a smaller pond. And should the president ever order US Cyber Command to disrupt the command-and-control infrastructure used to support Chinese espionage, there may be fewer such targets.
Yes, there are downsides to a smaller, more professional China cyberespionage intelligence operation. Their pros are going to be more capable and more cunning – just like our National Security Agency or CIA. When they go after US companies or government agencies, they will be even more likely to get in undetected.
In addition, my colleague Michael Tanji of the cybersecurity firm Kyrus worries about the potential for new rogues actors: “If you’re a Chinese hacker who doesn’t make the cut to the professional team, what happens? Bagging groceries during the day; pwning US companies at night?” But, fortunately, such rogues would be even more worrisome for China.
Also as The New York Times' David Sanger recently noted, “The same political forces that may be alleviating the theft of data from American companies are also responsible for Mr. Xi’s stunningly swift crackdown on the Chinese media, bloggers, and others who could challenge the Communist Party.” Empowering these forces likely means more internet crackdowns in China or more censorship, including on US companies operating in China.
On the one year anniversary of the agreement, this September, the Obama administration should not just confirm the trend, but support that claim with details backed by declassified intelligence to truly establish if these reports of reduced activity are true or not.
Obama has made the issue of Chinese commercial cyberespionage at the front and center of his overall policy with China. It is time for us to know if Xi is living up to his promises to Obama – and to all of us in cyberspace.
Jason Healey is senior research scholar at Columbia University’s School of International and Public Affairs and senior fellow at the Atlantic Council. Follow him on Twitter @Jason_Healey.