By Katie Bo Williams - 09/06/15 08:30 AM EDT
Looming sanctions aimed at Chinese interests suspected of stealing and profiting from U.S. trade secrets are unlikely to directly target Beijing, as the White House is expected to go after companies instead of foreign governments.
A series of leaked comments from unnamed White House sources over the past few days has revealed that sanctions against hackers are now in the works. But experts say they won't apply to cyberattacks like the recent hack of the federal Office of Professional Management, which compromised the personal information of millions of workers and is widely considered to be the work of state-backed hackers.
That’s because the Obama administration is wary of imposing sanctions for normal state-sponsored intelligence gathering tactics the U.S. government itself employs on an ongoing basis.
“[OPM] is something that the federal government looks at as a legitimate intelligence target that we as a government failed to protect,” said Rob Knake, a former White House cyber official and senior fellow at the Council on Foreign Relations. “It does not fall outside the bounds of what intelligence agencies traditionally want to know.”
As a matter of policy, the U.S. has tried to draw a line in the sand between hacking for intelligence-gathering purposes and hacking for commercial gain.
This approach is at least partly a result of the Edward Snowden revelations, which exposed the breadth of U.S. cyber spying on other nations.
“One of my messages to Washington, D.C. is: This feeling you have right now, of being violated by this espionage? That’s how the rest of the world felt after the Snowden revelations,” says Atlantic Council senior fellow Jason Healey, who called using sanctions to “lash out” against China for the OPM hack “dangerous.”
“We told the rest of the world ‘suck it up, this is how the game is played,’” Healey said. “‘If you’re upset with this, then you’re just not paying attention.’”
The latter kind of hacking—hacking to give domestic companies a market edge—has become a red line that experts say is increasingly important to the intelligence community.
“It’s a distinction that doesn’t really matter that much to anybody else and it’s probably incomprehensible to the Chinese,” Healey said—but it gives the U.S. government terra firma when it comes to cybersecurity policy in the wake of the Snowden leaks.
This distinction is why reports that Russia may also be subject to the rumored sanctions are likely untrue.
Experts say that most of Russia’s surveillance on U.S. interests is a very traditional form of intelligence gathering. It doesn’t appear to be benefiting any industry or commercial interests.
“If you look at the targets that Russia traditionally has hit, they’re very much in the model of Cold War spying, very traditional intelligence targets,” Knake said, listing recent hacks on the State Department, the White House and Joint Chiefs of Staff.
The distinction between those two forms of hacking has already been codified in policy.
In April, President Obama issued an executive order giving the Treasury Department the authority to impose sanctions on individuals or entities behind malicious cyberattacks and cyber espionage. If issued, the sanctions against the Chinese would be the first use of the order.
Actions that risk sanctions include an attack on critical infrastructure, disrupting major computer networks and stealing and benefiting from intellectual property.
But traditional intelligence gathering was not listed amongst the kinds of cyber activity that is subject to sanctions, and the White House leaks suggest that the administration will adhere to that policy.
Officials that spoke to the press indicated that the first targets of the sanctions were likely to be large Chinese firms that operate internationally—not President Xi Jinping’s administration.
The Obama administration has come under fire for refusing to publicly attribute various high-profile hacks to Beijing, with critics lambasting the president for failing to retaliate over the ongoing intrusions.
But targeting Chinese companies rather than the Chinese government is not necessarily a “soft” move, experts say.
“It might give the Chinese government an out,” Knake said. “If the U.S. government says, we believe these companies have benefited from the theft of IP, but doesn’t necessarily name the Chinese government as doing it, it might give the Chinese an out to say, ‘we’re going to fiercely prosecute and investigate and punish.’”
In other words, downstream regulation may be a way for the U.S. to impose costs for the kinds of cyber espionage that it objects to without necessarily escalating the simmering tension between the two nations.
“It’s no longer, ‘how do we get the Chinese government to stop targeting U.S. companies to steal their intellectual property,’ it’s ‘how do we get companies that were benefiting from that theft to decide they don’t want to play that game anymore,’” Knake said.
The consequences of the kind of sanctions under discussions are not trivial, Knake says. Chinese firms would essentially lose access to the international financial system, making it very hard to do business internationally.
“It could make companies that have been benefiting from stolen intellectual property say, ‘hey, actually we have more to lose than to gain through this transaction,” Knake said.