Computer security companies will be scrutinizing their data logs more intently in coming months, looking for signs that attacks on U.S. corporations originating in China are declining.
President Obama and his Chinese counterpart, Xi Jinping, announced Friday that the two countries had agreed not to conduct or support theft of intellectual property for commercial advantage. The agreement also includes a pledge to coöperate with requests to investigate attacks, collect evidence, and take enforcement action. A ministerial-level dialogue between the two countries, and a “red phone” hotline, will be established to ensure that such requests are taken seriously.
The agreement comes after several years of escalating complaints from U.S. corporations and the Obama administration about American corporate secrets being stolen through attacks originating in China. It does not cover state espionage, such as the attack that exposed a data trove including records of 5.4 million fingerprints from the Office of Personnel Management, which U.S. officials suspect was carried out by China.
Dmitri Alperovitch, chief technology officer of the security company CrowdStrike, which has tracked intrusions by Chinese groups, says the leaders’ announcement could be an effective deterrent. “I’ve been waiting for this day for years,” he says.
Alperovitch notes that his company and others will be able to tell if the new agreement has worked by monitoring attacks on their customers. “I don’t think that overnight we’ll have a cessation of commercial espionage activity, but we’ll be looking very closely to see if there’s any reduction longer term,” he says.
CrowdStrike and other private security companies have released detailed reports laying out connections between attacks on major corporations and Chinese hacking groups, or even specific Chinese military and intelligence units (see “Exposé on Chinese Data Thieves Reveals Sloppy Tactics”). And last year the U.S. Department of Justice indicted five Chinese military officers and released a detailed dossier of evidence linking them to thefts of intellectual property from U.S. companies including Westinghouse (see “How the U.S. Could Escalate Its Name-and-Shame Campaign Against China’s Espionage” and “Cyber-Espionage Nightmare”).
Alperovitch says that the new agreement means China won’t be able to brush off detailed evidence as it has in the past. “They will no longer just be able to say ‘We don’t have hacking in China’—they will have to provide discrete responses,” he says.
Richard Bejtlich, chief security strategist at the security company FireEye and a senior fellow at the Brookings Institution, also cautiously welcomed the new agreement. He noted that President Xi had emphasized economic coöperation in his press conference after meeting President Obama.
However, a less charitable interpretation of the new security agreement would be that China believes hackers in the country could evade detection well enough to prevent investigations from working out. “China’s operational security has traditionally been poor overall,” says Bejtlich. “But they have improved over the last few years as private-sector companies like Mandiant and FireEye have exposed Chinese campaigns.”
In a blog post responding to the new agreement, Robert Knake, a senior fellow for cyber policy at the Council for Foreign Relations, predicted that China would take enforcement action against government and corporate figures as part of a recent anticorruption campaign. “They will frame it as part of their internal efforts to reduce corruption and not as caving to U.S. pressure,” he wrote.
The most intense pressure from the United States seems to have come from the threat of economic sanctions. An executive order by President Obama in April this year cleared the way for sanctions against individuals who carry out or benefit from computer attacks that allow theft of commercially useful data. This August, the Washington Post reported that sanctions against specific companies and individuals were being drawn up.
At the news conference announcing the new agreement on Friday, President Obama signaled that sanctions were still a possibility. “We will apply those, and whatever other tools we have in our tool kit, to go after cybercriminals either retrospectively or prospectively,” he said.