Years of speculation are finally giving way to some hard evidence of the Chinese government’s role in cyber espionage. A new report by cyber-security firm Mandiant is making waves, including on the front page of Tuesday’s New York Times. Mandiant traced the overwhelming percentage of cyber attacks on the U.S. government and American businesses and organizations to one building on the outskirts of Shanghai, occupied by People’s Liberation Army Unit 61398. Despite years of growing evidence, American government agencies, such as the National Intelligence Council and Pentagon, have danced around the issue of state-sponsored cyber-attacks, even while acknowledging that many attacks can be pinpointed in China.
Yet the image of a pimply Chinese teenager launching sophisticated cyber-hacks, à la some updated Matthew Broderick in War Games, was never really believable. Mandiant’s report should knock the first bricks from the wall that has served, even unwittingly, to protect the Chinese government from foreign pressure over cyber-espionage. According to the Times, Mandiant discovered how Unit 61398 (or its affiliates) stole “technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100” companies that hired the firm to protect their secrets. That may have aversely affected business deals worth billions of dollars.
Yet as the Times points out, there may be even more to worry about than we supposed. Unit 61398 “increasingly [is focused] on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines, and waterworks.” A few years ago, the Wall Street Journal revealed how Chinese-origin attacks stole volumes of information on the F-35 stealth fighter’s development from subcontractors working with Lockheed Martin. China’s actions, then, have direct national-security implications. They are attempting to get the keys to our most sophisticated weapons systems, as well as a chokehold on the vital nodes of America’s domestic utilities. And all this is after years of stealing terabytes of information from ordinary U.S. manufacturers and multinational corporations.
Has Beijing crossed a Rubicon? By some estimates, Chinese cyber-espionage is the greatest crime in history, measured in monetary terms. The Times reports that the Obama administration may tell Chinese leaders that the cyber-attacks “threaten the fundamental relationship” between the two countries. And yet, the White House will not yet admit that the majority of attacks are coming from groups connected with PLA Unit 61398. The political fear of upsetting the apple cart of Sino-U.S. ties continues to make America vulnerable to Chinese cyber-aggression. Years of U.S. reluctance to push Beijing harder on this issue clearly only emboldened it. Now that there is hard evidence of official Chinese involvement, any further failure to make China pay some type of penalty for its actions will further erode U.S. credibility around the world. Washington will be seen as too timid or weak to protect its own interests, and that will make others think harder about trusting it to advocate for theirs.
There is no longer any excuse for failing to make this the top priority in U.S.–China relations. Chinese officials have never taken our complaints seriously, for good reason. However, there are a number of actions we should be willing to take to make clear how serious this issue is. Canceling political and military meetings and looking harder at sanctions against PLA-connected companies are just two of the options we should put on the table. Washington should also look to work more closely with allies and partners that have been targeted, and seek a common front with which to confront Beijing. A joint response will speak much louder than unilateral ones.
There are right ways and wrong ways to develop relationships with rising powers. At present, we are doing a lot of the wrong things, some of which are adding materially to global instability and resulting in concrete economic harm. By sending the wrong message, we encourage bad behavior and copycat crimes. When the rising power is building a military to target yours in a vital area of the world, its cyber-aggression has to be seen as part of a larger plan for weakening America. The longer we bury our heads in the sand, the more vulnerable we become and the more likely it is that the end result will be worse than what we hoped to avoid.
— Michael Auslin is a scholar at the American Enterprise Institute in Washington.